Nmap Development mailing list archives
Re: Strange Fingerprint
From: David Fifield <david () bamsoftware com>
Date: Mon, 8 Sep 2014 14:55:27 -0700
On Mon, Sep 08, 2014 at 10:58:01AM -0700, Trevor Elliott wrote:
Hi Everyone, I'm scanning a custom-built network stack, and am getting some strange results in the fingerprint. It ends up with multiple results for the SEQ tests as well as a few others, which I wasn't sure how to interpret: TCP/IP fingerprint: OS:SCAN(V=6.45%E=4%D=9/8%OT=9001%CT=1%CU=40625%PV=Y%DS=1%DC=D%G=Y%M=525400% OS:TM=540DE55C%P=x86_64-redhat-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=RD%CI= OS:RI%TS=22)SEQ(CI=RI%II=RI)SEQ(CI=RD)OPS(O1=M5B4NNSNW3NNT11%O2=M5B4NNSNW3N OS:NT11%O3=M5B4NW3NNT11%O4=M5B4NNSNW3NNT11%O5=M5B4NNSNW3NNT11%O6=M5B4NNSNNT OS:11)WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=Y%T=44 OS:%W=4000%O=M5B4NNSNW3NNLL%CC=N%Q=)ECN(R=N)T1(R=Y%DF=Y%T=44%S=O%A=S+%F=AS% OS:RD=0%Q=)T1(R=N)T2(R=N)T3(R=Y%DF=Y%T=44%W=4000%S=O%A=S+%F=AS%O=M5B4NNSNW3 OS:NNT11%RD=0%Q=)T3(R=N)T4(R=Y%DF=Y%T=3B%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T5(R=Y OS:%DF=Y%T=44%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=44%W=0%S=A%A=S%F=A OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=44%W=3908%S=O%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF= OS:N%T=FC%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%C OS:D=S)
If you run with --osscan-guess, you will get guesses instead of a fingerprint. For me they are: 94% 72135 OpenBSD 5.0 - 5.5 (OpenBSD | OpenBSD | 5.X | general purpose) 92% 71686 OpenBSD 4.4 (OpenBSD | OpenBSD | 4.X | general purpose) 91% 71777 OpenBSD 4.4 - 4.5 (OpenBSD | OpenBSD | 4.X | general purpose) 91% 72053 OpenBSD 4.9 - 5.1 (OpenBSD | OpenBSD | 4.X | general purpose) You get multiple SEQ lines because the OS test is done multiple times in preparation for making a fingerprint. Actually, there are multiple of all the other lines too, but Nmap removes lines that are exact duplicates before serializing the fingerprint. You should submit the fingerprint along with the exact version number of the network stack, so that it will be detected by a future version of Nmap. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint David Fifield (Sep 08)
- Re: Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint David Fifield (Sep 08)
- Re: Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint Trevor Elliott (Sep 08)
- Re: Strange Fingerprint David Fifield (Sep 08)