Nmap Development mailing list archives
Strange Fingerprint
From: Trevor Elliott <trevor () galois com>
Date: Mon, 8 Sep 2014 10:58:01 -0700
Hi Everyone, I'm scanning a custom-built network stack[1], and am getting some strange results in the fingerprint. It ends up with multiple results for the SEQ tests as well as a few others, which I wasn't sure how to interpret: TCP/IP fingerprint: OS:SCAN(V=6.45%E=4%D=9/8%OT=9001%CT=1%CU=40625%PV=Y%DS=1%DC=D%G=Y%M=525400% OS:TM=540DE55C%P=x86_64-redhat-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=RD%CI= OS:RI%TS=22)SEQ(CI=RI%II=RI)SEQ(CI=RD)OPS(O1=M5B4NNSNW3NNT11%O2=M5B4NNSNW3N OS:NT11%O3=M5B4NW3NNT11%O4=M5B4NNSNW3NNT11%O5=M5B4NNSNW3NNT11%O6=M5B4NNSNNT OS:11)WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=Y%T=44 OS:%W=4000%O=M5B4NNSNW3NNLL%CC=N%Q=)ECN(R=N)T1(R=Y%DF=Y%T=44%S=O%A=S+%F=AS% OS:RD=0%Q=)T1(R=N)T2(R=N)T3(R=Y%DF=Y%T=44%W=4000%S=O%A=S+%F=AS%O=M5B4NNSNW3 OS:NNT11%RD=0%Q=)T3(R=N)T4(R=Y%DF=Y%T=3B%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T5(R=Y OS:%DF=Y%T=44%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=44%W=0%S=A%A=S%F=A OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=44%W=3908%S=O%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF= OS:N%T=FC%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%C OS:D=S) I've also posted a pcap capture, and the output of running nmap with -d9 [2,3]. Thanks for any insight! :) --trevor [1] https://github.com/galoisinc/hans [2] http://www.galois.com/~trevor/scan.out [3] http://www.galois.com/~trevor/scan.pcap
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint David Fifield (Sep 08)
- Re: Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint David Fifield (Sep 08)
- Re: Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint David Fifield (Sep 08)