Nmap Development mailing list archives
Re: GSoC Candidate Intro and Project Discussion
From: David Fifield <david () bamsoftware com>
Date: Mon, 28 Mar 2011 14:16:46 -0700
On Sun, Mar 27, 2011 at 04:46:14PM -0500, Dautenhahn, Nathan Daniel wrote:
Hey All- My name is Nathan Dautenhahn. I am a second year PhD student at the University of Illinois at Urbana-Champaign and am interested in working with the Nmap project for GSoC 2011. With this message I would like to get to know some of the devs, as well as outline my initial thoughts for the project. I would like to participate in the enhancement of Nmap's IPv6 capabilities. As I'm a researcher, I'm inclined to tackle more complex problems such as OS detection. I have previous experience in using statistical packet analysis to perform classification of encrypted traffic. At this point I still need to specify in greater detail my ideas and scope for the project, but figured it would be good to start here to make sure that I'm getting the right feedback throughout the process. I will say I don't know how current IPv4 host detection occurs, and assume that I should start there. The following lists an initial approach I would take in order to develop host detection:
Hello Nathan. You're using the term "host detection," which is a little confusing because it puts me in mind of "host discovery," which is a topic separate from OS detection (see chapter 3 of the Nmap book or http://nmap.org/book/man-host-discovery.html). The reference for OS detection is http://nmap.org/book/osdetect.html. Host discovery (ping scanning) on IPv6 networks is another open research area.
* Review IPv4 host recognition techniques and other literature on the subject * Review IPv6 RFC Specification * It seems as though host detection is very specific to the OS and other implementation specific issues, and as such profiling the different systems seems like a good first step. I would manually review packet traces from each OS in order to find any unique state produced by the system. * Review other state output visible to the network. This task would be focused on exposing any unexpected state that could be used for host detection.
Can you give examples of state output? I don't know what you mean.
* After manually analyzing these traces and other output from the hosts I would start to develop some type of classification of different types of data we find valuable in performing host recognition. * Would need to analyze and define what type of pattern/classification technique we will use.
This is an interesting topic. Nmap's IPv4 matching algorithm just uses a weighted sum of passing tests. A few months ago I did a small research project into using a support vector machine for classification, with some success. This is the paper, which also has some useful references: http://seclists.org/nmap-dev/2011/q1/156.
* The next thing would be to build some type of initial prototype and see how it does.
This is a good point. We don't have to settle for testing in a lab when there are so many Nmap users. A good project plan will include ideas to enable testing by interested users.
* Then make modifications and recurse over testing and modification until the application performs as desired. Like I said this is a very raw initial approach. Please provide any feedback to point the project in a direction that would better serve Nmap. I have a few questions: * What is the potential for publication coming from this work? Would Nmap be okay if attempted this, and would there be interest from Nmap to participate in this?
I don't have a feel for what kind of work is publishable. But I can say that this not a project to be done and then forgotten about--it has to be usable and maintainable for years to come.
* Is this too advantageous of a project, or would I also need to add in some other work?
I think OS detection is a big enough project on its own. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- GSoC Candidate Intro and Project Discussion Dautenhahn, Nathan Daniel (Mar 27)
- GSoC URL David Fifield (Mar 27)
- Re: GSoC Candidate Intro and Project Discussion David Fifield (Mar 28)