Nmap Development mailing list archives
Re: SinFP OS fingerprinting
From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Tue, 31 May 2011 14:26:48 -0500
I had to install some packages via apt-get that wouldn't work through CPAN, but I got it working. I hit a Solaris box and got this from SinFP --- $ time sudo sinfp.pl -i www.xxx.yyy.126 *** Net::Packet is obsolete, you will receive no support. *** Now use Net::Frame::* modules. P1: B11113 F0x12 W49312 O0204ffff M1460 P2: B11113 F0x12 W49232 O0101080affffffff444541440204ffff0103030001010402 M1460 P3: B01023 F0x04 W0 O0 M0 IPv4: HEURISTIC0/P1P2: Unix: SunOS: 5.10 IPv4: HEURISTIC0/P1P2: Unix: SunOS: 5.9 *** File [sinfp4-127.0.0.1.anon.pcap] generation done. *** Please send it to sinfp () gomor org if you think this is not *** the good identification, or if it is a new signature. *** In this last case, please specify `uname -a' (or equivalent) *** from the target host. real 0m1.140s user 0m1.052s sys 0m0.084s --- and this from nmap using the minimal options to detect OS --- $ time sudo nmap -O www.xxx.yyy.126 Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 13:44 CDT Nmap scan report for server.domain.com (www.xxx.yyy.126) Host is up (0.0019s latency). Not shown: 988 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 898/tcp open sun-manageconsole 1099/tcp open rmiregistry 5987/tcp open wbem-rmi 5988/tcp open wbem-http 10000/tcp open snet-sensor-mgmt 13722/tcp open netbackup 13782/tcp open netbackup 13783/tcp open netbackup 32768/tcp open filenet-tms OS fingerprint not ideal because: Host distance (6 network hops) is greater than five No OS matches for host Network Distance: 6 hops OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.69 seconds real 0m32.727s user 0m1.880s sys 0m0.080s --- Nmap was slower and less accurate in this instance. So if you just want to know what OS something is running, SinFP is a good tool (assuming your OS is in the database which will only get better as time goes on). It is both fast and quiet. SinFP compliments nmap well, I think. I found it much harder to install than nmap because my vanilla perl installation was missing most of the support modules it needed. Just for fun, I kicked nmap up a few levels and got this --- $ time sudo nmap -sSCUV -v -O -pT:0-65535,U:58437,53,67,68,69,88,111,123,135,137,138,139,161,162,445,500,514,520,631,1433,1434,1812,1813,1900,4500,6481,49152-49161 --version-intensity 9 --reason --script '(safe and not broadcast and not firewalk.nse),default,version,smtp-open-relay.nse' www.xxx.yyy.126 Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 13:48 CDT Nmap scan report for server.domain.com (www.xxx.yyy.126) Host is up, received reset (0.0017s latency). Not shown: 65553 closed ports Reason: 65518 resets and 35 port-unreaches PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 2.0.8 or later | banner: 220-Authorized uses only. All activity may be monitored and rep |_orted.\x0D\x0A220-\x0D\x0A220 server-mem FTP server ready. 22/tcp open ssh syn-ack SunSSH 1.1.1 (protocol 2.0) | ssh2-enum-algos: | kex_algorithms (2) | diffie-hellman-group-exchange-sha1 | diffie-hellman-group1-sha1 | server_host_key_algorithms (2) | ssh-rsa | ssh-dss | encryption_algorithms (3) | aes128-cbc | blowfish-cbc | 3des-cbc | mac_algorithms (2) | hmac-sha1 | hmac-md5 | compression_algorithms (2) | none |_ zlib | ssh-hostkey: 1024 f8:88:96:9a:dc:15:90:04:22:dd:00:d9:da:7e:52:dd (DSA) |_1024 b5:e7:ed:68:65:d2:4b:97:66:f8:35:a6:43:03:87:63 (RSA) |_banner: SSH-2.0-Sun_SSH_1.1.1 80/tcp open http syn-ack Apache httpd |_http-date: Tue, 31 May 2011 19:18:18 GMT; -1m02s from local time. |_http-title: 403 Forbidden | http-headers: | Date: Tue, 31 May 2011 19:18:18 GMT | Server: Apache | Content-Length: 202 | Connection: close | Content-Type: text/html; charset=iso-8859-1 | |_ (Request type: GET) | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-malware-host: Host appears to be clean 665/tcp open sun-dr? syn-ack 898/tcp open http syn-ack Solaris management console server (Java 1.4.1_06; Tomcat 2.1; SunOS 5.9 sparc) | http-methods: GET HEAD TRACE OPTIONS | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Solaris Management Console Server 2.1 |_http-malware-host: Host appears to be clean | http-headers: | Date: Tue, 31 May 02011 19:18:17 GMT | Server: Tomcat/2.1 | Content-Type: text/html | Content-Length: 3220 | Servlet-Engine: Tomcat/2.1 (Java 1.4.1_06; SunOS 5.9 sparc; java.vendor=Sun Microsystems Inc.) | Last-Modified: Mon, 15 Apr 02002 06:29:11 GMT | |_ (Request type: HEAD) |_http-date: Tue, 31 May 02011 19:18:18 GMT; -1m02s from local time. 1099/tcp open jrmi syn-ack Java RMI 4080/tcp open http syn-ack Jetty httpd |_http-malware-host: Host appears to be clean |_http-methods: No Allow or Public header in OPTIONS response (status code 404) |_http-title: Error 404 - Not Found |_http-date: Tue, 31 May 2011 19:18:19 GMT; -1m01s from local time. | http-headers: | Date: Tue, 31 May 2011 19:18:19 GMT | Server: Cyclone HTTP(S) Server | Connection: close | Content-Type: text/html | Content-Length: 930 | |_ (Request type: GET) 4081/tcp open ssl/http syn-ack Jetty httpd | ssl-cert: Subject: commonName=server-mem/organizationName=My Company | Issuer: commonName=server-mem/organizationName=My Company | Public Key type: rsa | Public Key bits: 512 | Not valid before: 2006-04-11 18:15:40 | Not valid after: 2011-04-11 18:15:40 | MD5: ba09 a4f7 caad b8db 6549 648f 9a75 9da3 |_SHA-1: 4555 d30b 4363 19ac 824e cbf3 b24e cb1a b2a0 278f |_http-date: Tue, 31 May 2011 19:18:18 GMT; -1m02s from local time. |_http-methods: No Allow or Public header in OPTIONS response (status code 404) |_http-title: Error 404 - Not Found | http-headers: | Date: Tue, 31 May 2011 19:18:20 GMT | Server: Cyclone HTTP(S) Server | Connection: close | Content-Type: text/html | Content-Length: 778 | |_ (Request type: GET) |_http-malware-host: Host appears to be clean 5987/tcp open ssl/jrmi syn-ack Java RMI | ssl-cert: Subject: commonName=server-mem | Issuer: commonName=server-mem | Public Key type: rsa | Public Key bits: 1024 | Not valid before: 2011-03-15 16:45:44 | Not valid after: 2012-03-14 16:45:44 | MD5: 10d6 88f8 3490 8bf9 fdc6 b7b2 fb84 4289 |_SHA-1: 978b 7d61 c608 bcf9 f856 a545 e796 12a6 049f 1ef8 5988/tcp open http syn-ack Java 1.4.1_06 http.transport.HttpServerConnection httpd |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |_http-malware-host: Host appears to be clean |_http-date: Tue, 31 May 2011 19:18:18 GMT; -1m02s from local time. | http-headers: | Content-Length: 0 | Server: Java/1.4.1_06 javax.wbem.client.adapter.http.transport.HttpServerConnection | Date: Tue, 31 May 2011 19:18:18 GMT | Connection: close | |_ (Request type: GET) 10000/tcp open http syn-ack MiniServ 0.01 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). |_http-date: Tue, 31 May 2011 19:18:13 GMT; -1m07s from local time. |_http-methods: No Allow or Public header in OPTIONS response (status code 200) | http-headers: | Date: Tue, 31 May 2011 19:18:18 GMT | Server: MiniServ/0.01 | Connection: close | Set-Cookie: testing=1; path=/ | pragma: no-cache | Expires: Thu, 1 Jan 1970 00:00:00 GMT | Cache-Control: no-store, no-cache, must-revalidate | Cache-Control: post-check=0, pre-check=0 | Content-type: text/html; Charset=iso-8859-1 | |_ (Request type: GET) |_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285 |_http-malware-host: Host appears to be clean 13722/tcp open netbackup syn-ack Veritas Netbackup java listener 13724/tcp open vnetd syn-ack Veritas Netbackup Network Utility 13782/tcp open tcpwrapped syn-ack 13783/tcp open tcpwrapped syn-ack 32768/tcp open mdcommd syn-ack 1 (rpc #100422) 34946/tcp open jrmi syn-ack Java RMI 47273/tcp open ssl/jrmi syn-ack Java RMI | ssl-cert: Subject: commonName=server-mem | Issuer: commonName=server-mem | Public Key type: rsa | Public Key bits: 1024 | Not valid before: 2011-03-15 16:45:44 | Not valid after: 2012-03-14 16:45:44 | MD5: 10d6 88f8 3490 8bf9 fdc6 b7b2 fb84 4289 |_SHA-1: 978b 7d61 c608 bcf9 f856 a545 e796 12a6 049f 1ef8 123/udp open ntp udp-response NTP v4 | ntp-info: | receive time stamp: Tue May 31 14:18:23 2011 | system: SunOS | leap: 0 | stratum: 4 | rootdelay: 58.26 | rootdispersion: 307.98 | peer: 59148 | refid: 192.168.30.133 | reftime: 0xd18fbd52.124c1000 | poll: 7 | clock: 0xd18fbd79.96ac1000 | phase: 0.248 | freq: 25790.01 |_ error: 128.02 OS fingerprint not ideal because: Host distance (6 network hops) is greater than five No OS matches for host Network Distance: 3 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: SunOS Host script results: |_path-mtu: PMTU == 1500 |_ipidseq: Unknown | asn-query: | BGP: www.xxx.yyy.0/22 | Country: US | Origin AS: 19134 - DOMAIN - My Company National Corporation |_ Peer AS: 701 4323 | qscan: | PORT FAMILY MEAN (us) STDDEV LOSS (%) | 0 0 5004.10 2965.25 0.0% | 21 0 7009.40 6061.22 0.0% | 22 0 4814.56 3078.42 10.0% | 80 0 5549.20 4596.80 0.0% | 665 0 0.00 -0.00 100.0% | 898 0 5084.00 3314.85 0.0% | 1099 0 4160.00 1093.36 0.0% | 4080 0 5277.70 2908.35 0.0% |_4081 0 5043.40 3113.46 0.0% Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1877.91 seconds Raw packets sent: 81895 (3.606MB) | Rcvd: 65615 (2.626MB) real 31m17.944s user 0m5.320s sys 0m2.684s --- Yeah. It took half an hour, but SinFP can't touch that amount of information about a server. The two tools solve different problems. -Jason On Tue, May 31, 2011 at 12:13 PM, David Fifield <> wrote:
On Tue, May 31, 2011 at 10:42:07AM -0500, DePriest, Jason R. wrote:On Sat, May 28, 2011 at 8:32 AM, Brahim Sakka <> wrote:Hi list, Did anyone have a look at SinFP OS fingerprinter? http://www.gomor.org/bin/view/Sinfp/DocOverview It is claimed to "bypass Nmap limitations" and I don't like reading that about Nmap :)I'd love to test it out but I've been trying to get all of the prerequisites installed via CPAN for about an hour now and I've come up to one that won't install. I am extremely curious to see how well it can ID an OS with just a single three-way handshake.It's actually three, not just one, TCP probes. They all go to the same open port. The author has a point that this reduces the chance of getting a mixed-up fingerprint when different ports for the same IP address are handled by different machines. On the other hand, it loses some discriminating power. http://www.gomor.org/files/sinfp-jcv.pdf When I tested it a little bit, its results were accurate but less precise than Nmap's. For example, "2.6" is often all the information available for a Linux version. 3|OSS|Linux|2.4.x|2.4.x| 4|OSS|Linux|2.6.x|2.6.x| 27|OSS|FreeBSD|6.1|6.x|BSD 61|Cisco|IOS|12.0|12.x|Router 125|HP|JetDirect|unknown|unknown|Printer David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SinFP OS fingerprinting Brahim Sakka (May 28)
- Re: SinFP OS fingerprinting Abuse007 (May 28)
- Re: SinFP OS fingerprinting DePriest, Jason R. (May 31)
- Re: SinFP OS fingerprinting David Fifield (May 31)
- Re: SinFP OS fingerprinting DePriest, Jason R. (May 31)
- Re: SinFP OS fingerprinting Djalal Harouni (May 31)
- Re: SinFP OS fingerprinting David Fifield (May 31)