Nmap Development mailing list archives
Re: Large scale OS verification
From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Fri, 25 Dec 2009 01:09:49 -0500
Hello Ankur, On Fri, Dec 25, 2009 at 12:15 AM, Ankur Nandwani <ankur2tenn () gmail com> wrote:
Now I need to verify the accuracy of my tool, so for the same I plan to download the page contents and HTTP headers, and then parse the content and headers to determine the OS of the machine.
Apache - as well as several less popular web servers - report some information about the server on error pages by default. However, most administrators shut off this 'feature'. The http 'Server' header remains, however it can be quite inaccurate. For instance, my server reports "Apache/2.2.3 (Red Hat)" however, I run Cent, not Red Hat, seclists.org reports "Apache/2.2.3 (CentOS)". I guess you've narrowed it down to Linux in both cases, but that that isn't really helpful. microsoft,com reports "Microsoft-IIS/7.0", so again you know the OS class - Windows - but have no clue as to the version. And there are also sites like facebook(no server reported) and google(reports google web server) where this method just wont work. I should also cover misconfigured hosts and shared server IP's. There are a lot of misconfigured http hosts on the internet. Pages like 'welcome to redhat, this is the dummy apache page, change it here: /var/www' Obviously this type of hose could be easily verified against. However, you would introduce a large sample bias, and wouldn't be able to say if your tool functioned properly against well configured hosts. As for shared servers, if you are testing IP's then you are bound to run into a lot of pages that look like this 'http://208.97.187.204/' (the dreamhost.com ip), some tell you a lot of information about the server(ie, the default plesk/cpanel page), and some tell you almost nothing. But sampling these pages may inadvertently induce a sample bias, for the reasons mentioned above. For these reasons, I think that using http responses to verify a tool would induce a large margin of error.
So what do you guys think about the efficacy of this approach in determining the correct OS, or is there any other approach, which may be inefficient but can give me better results, so that I can verify my tool.
I could better judge that if I knew what fingerprinting method your tool was using. based off of nmap? If not nmap comes to mind :p -M _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Large scale OS verification Ankur Nandwani (Dec 24)
- Re: Large scale OS verification Michael Pattrick (Dec 24)