Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange Fingerprint

From: David Fifield <david () bamsoftware com>
Date: Mon, 8 Sep 2014 14:55:27 -0700
On Mon, Sep 08, 2014 at 10:58:01AM -0700, Trevor Elliott wrote:

Hi Everyone,

I'm scanning a custom-built network stack, and am getting some
strange results in the fingerprint.  It ends up with multiple results
for the SEQ tests as well as a few others, which I wasn't sure how to
interpret:

TCP/IP fingerprint:
OS:SCAN(V=6.45%E=4%D=9/8%OT=9001%CT=1%CU=40625%PV=Y%DS=1%DC=D%G=Y%M=525400%
OS:TM=540DE55C%P=x86_64-redhat-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=RD%CI=
OS:RI%TS=22)SEQ(CI=RI%II=RI)SEQ(CI=RD)OPS(O1=M5B4NNSNW3NNT11%O2=M5B4NNSNW3N
OS:NT11%O3=M5B4NW3NNT11%O4=M5B4NNSNW3NNT11%O5=M5B4NNSNW3NNT11%O6=M5B4NNSNNT
OS:11)WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=Y%T=44
OS:%W=4000%O=M5B4NNSNW3NNLL%CC=N%Q=)ECN(R=N)T1(R=Y%DF=Y%T=44%S=O%A=S+%F=AS%
OS:RD=0%Q=)T1(R=N)T2(R=N)T3(R=Y%DF=Y%T=44%W=4000%S=O%A=S+%F=AS%O=M5B4NNSNW3
OS:NNT11%RD=0%Q=)T3(R=N)T4(R=Y%DF=Y%T=3B%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=44%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=44%W=0%S=A%A=S%F=A
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=44%W=3908%S=O%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=FC%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%C
OS:D=S)


If you run with --osscan-guess, you will get guesses instead of a
fingerprint. For me they are:

 94% 72135 OpenBSD 5.0 - 5.5 (OpenBSD | OpenBSD | 5.X | general purpose)
 92% 71686 OpenBSD 4.4 (OpenBSD | OpenBSD | 4.X | general purpose)
 91% 71777 OpenBSD 4.4 - 4.5 (OpenBSD | OpenBSD | 4.X | general purpose)
 91% 72053 OpenBSD 4.9 - 5.1 (OpenBSD | OpenBSD | 4.X | general purpose)

You get multiple SEQ lines because the OS test is done multiple times in
preparation for making a fingerprint. Actually, there are multiple of
all the other lines too, but Nmap removes lines that are exact
duplicates before serializing the fingerprint.

You should submit the fingerprint along with the exact version number of
the network stack, so that it will be detected by a future version of
Nmap.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: