Nmap Development mailing list archives

Re: Qscan in NSE: qscan.nse

From: Ron <ron () skullsecurity net>
Date: Mon, 22 Mar 2010 18:03:13 -0500

As an enhancement to the whole concept, how difficult would it be to integrate some OS-detection-style tricks? Sample 
things like:
o Initial TTL
o IPID numbers (zero/incremental/random)
o etc.

Gather those stats, group the hosts that *might* be the same, then do the timing tests on the sub-groups. 

It seems me that that'd significantly increase the accuracy. 

On Mon, 22 Mar 2010 22:41:20 +0000 jah <jah () zadkiel plus com> wrote:

On 21/03/2010 17:25, Kris Katterjohn wrote:

So these types of tests are the best I can do, but qscan seems to
prove itself
useful and accurate for me.

Yep, your results look good.  I haven't worked out definitively why my
results aren't as I'd wished them to be, but I suspect, given that the
test machines are VMs on the same host using the same virtual network
adapter, that the rtt are never going to differ much more than
microseconds - much much less than the std deviation anyway.  So
actually, barring the odd anomaly, getting all ports showing as the
same family is the result I should have been expecting all along.

One thing I noticed is that qscan.nse runs against targets when
only a single port was specified, I think that if less than two
ports are in a testable state then qscan shouldn't run (unless
maybe if it was explicitly requested).



Good find, but actually this was silently fixed in my last attached
script.  I
forgot to mention it in the email...

Ah, I missed that.

Still, once we can be confident of it's effectiveness, it's a neat
script to have in our arsenal!



Great, I'm glad you think so!  Maybe my tests above have instilled a
little of
that confidence in you? :-P  Nah, hopefully qscan can do that itself
when you
get a chance to test outside of VMs.

I might be warming to the idea that the script works properly.

Again, nice work Kris.

jah
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: Qscan in NSE: qscan.nse, (continued)
- - - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 18)
    - Re: Qscan in NSE: qscan.nse doug (Mar 20)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 20)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
    - Qscan against localhost David Fifield (Mar 20)
    - Re: Qscan in NSE: qscan.nse jah (Mar 21)
    - Re: Qscan in NSE: qscan.nse Kris Katterjohn (Mar 21)
    - Re: Qscan in NSE: qscan.nse jah (Mar 22)
    - Re: Qscan in NSE: qscan.nse Ron (Mar 22)
    - Re: Qscan in NSE: qscan.nse Arturo 'Buanzo' Busleiman (Mar 23)