Re: SinFP OS fingerprinting

[David Fifield <david () bamsoftware com>]

On Tue, May 31, 2011 at 10:42:07AM -0500, DePriest, Jason R. wrote:
> On Sat, May 28, 2011 at 8:32 AM, Brahim Sakka <> wrote:
> > Hi list,
> >
> > Did anyone have a look at SinFP OS fingerprinter?
> > http://www.gomor.org/bin/view/Sinfp/DocOverview
> > It is claimed to "bypass Nmap limitations" and I don't like reading that
> > about Nmap :)
>
> I'd love to test it out but I've been trying to get all of the
> prerequisites installed via CPAN for about an hour now and I've come
> up to one that won't install.
>
> I am extremely curious to see how well it can ID an OS with just a
> single three-way handshake.

It's actually three, not just one, TCP probes. They all go to the same
open port. The author has a point that this reduces the chance of
getting a mixed-up fingerprint when different ports for the same IP
address are handled by different machines. On the other hand, it loses
some discriminating power.

http://www.gomor.org/files/sinfp-jcv.pdf

When I tested it a little bit, its results were accurate but less
precise than Nmap's. For example, "2.6" is often all the information
available for a Linux version.

3|OSS|Linux|2.4.x|2.4.x|
4|OSS|Linux|2.6.x|2.6.x|
27|OSS|FreeBSD|6.1|6.x|BSD
61|Cisco|IOS|12.0|12.x|Router
125|HP|JetDirect|unknown|unknown|Printer

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/