Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [nmap-svn] r32464 - nmap

From: David Fifield <david () bamsoftware com>
Date: Sun, 3 Nov 2013 12:25:15 -0800
On Wed, Oct 23, 2013 at 11:31:53PM +0200, Jacek Wielemborek wrote:

2013/10/23  <commit-mailer () nmap org>:

Author: d33tah
Date: Wed Oct 23 21:26:51 2013
New Revision: 32464

Log:
Reverting r32462 - Fyodor says it needs some investigation on how the W0 actually appeared here.


Modified:
   nmap/nmap-os-db

Modified: nmap/nmap-os-db
==============================================================================
--- nmap/nmap-os-db     (original)
+++ nmap/nmap-os-db     Wed Oct 23 21:26:51 2013
@@ -59929,7 +59929,7 @@
 CPE cpe:/o:microsoft:windows_xp::sp3
 SEQ(SP=101-10B%GCD=1-6%ISR=104-10E%II=I%TS=U)
 
OPS(O1=M4ECNW0NNS|M4ECNW3NNS%O2=M4ECNW0NNS|M4ECNW3NNS%O3=M4ECNW0|M4ECNW3%O4=M4ECNW0NNS|M4ECNW3NNS%O5=M4ECNW0NNS|M4ECNW3NNS%O6=M4ECNNS)
-WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)
+WIN(W1=FFFF%W2=FFFF%W0|W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)
 ECN(R=Y%DF=Y%T=3B-45%TG=40%W=FFFF%O=M4ECNW0NNS|M4ECNW3NNS%CC=N%Q=)
 T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
 T2(R=Y%DF=N%T=3B-45%TG=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)

_______________________________________________
Sent through the svn mailing list
http://nmap.org/mailman/listinfo/svn


While building my own nmap-os-db parser, I noticed that there are WIN
tests not mentioned in MatchPoints. The first one I spotted was W0 for
Windows XP, but then I noticed there are also bogus W7, W8 and W9.

I talked to Fyodor about this and he suggested that it might be a bug
in either the Nmap integration software or some probe numbering bug
related to retransmissions. He also noticed that the bogus tests
appeared in r30038 and the diff shows that these lines got replaced in
an already existing fingerprint. This might be worth investigating.


This looks like it's probably my fault--it looks like I was manually
expanding the window scaling factors allowed from just W3 to W0 and W3.
        O1=M4ECNW3NNS → O1=M4ECNW0NNS|M4ECNW3NNS
        O2=M4ECNW3NNS → O2=M4ECNW0NNS|M4ECNW3NNS
        O3=M4ECNW3 → O3=M4ECNW0|M4ECNW3
        etc.
I probably did it with a replacement like
        s/\(\w*\)W3\(\w*\)/\1W0\2|\1W3\2/
The window scaling factor W3 happened to coincide with W3, a TCP window
size.

David FIfield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: