Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Large scale OS verification

From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Fri, 25 Dec 2009 01:09:49 -0500
Hello Ankur,

On Fri, Dec 25, 2009 at 12:15 AM, Ankur Nandwani <ankur2tenn () gmail com> wrote:

Now I need to verify the accuracy of my tool, so for the same I plan
to download the page contents and HTTP headers, and then parse the
content and headers to determine the OS of the machine.


Apache - as well as several less popular web servers - report some
information about the server on error pages by default. However, most
administrators shut off this 'feature'.

The http 'Server' header remains, however it can be quite inaccurate.

For instance, my server reports "Apache/2.2.3 (Red Hat)" however, I
run Cent, not Red Hat, seclists.org reports "Apache/2.2.3 (CentOS)". I
guess you've narrowed it down to Linux in both cases, but that that
isn't really helpful. microsoft,com reports "Microsoft-IIS/7.0", so
again you know the OS class - Windows - but have no clue as to the
version.

And there are also sites like facebook(no server reported) and
google(reports google web server) where this method just wont work.

I should also cover misconfigured hosts and shared server IP's. There
are a lot of misconfigured http hosts on the internet. Pages like
'welcome to redhat, this is the dummy apache page, change it here:
/var/www' Obviously this type of hose could be easily verified
against. However, you would introduce a large sample bias, and
wouldn't be able to say if your tool functioned properly against well
configured hosts. As for shared servers, if you are testing IP's then
you are bound to run into a lot of pages that look like this
'http://208.97.187.204/&apos; (the dreamhost.com ip), some tell you a lot
of information about the server(ie, the default plesk/cpanel page),
and some tell you almost nothing. But sampling these pages may
inadvertently induce a sample bias, for the reasons mentioned above.

For these reasons, I think that using http responses to verify a tool
would induce a large margin of error.


So what do you
guys think about the efficacy of this approach in determining the
correct OS, or is there any other approach, which may be inefficient
but can give me better results, so that I can verify my tool.


I could better judge that if I knew what fingerprinting method your
tool was using. based off of nmap? If not nmap comes to mind :p

-M
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: