Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Remote OS detection in IPv6

From: "Mathias Morbitzer" <m.morbitzer () runbox com>
Date: Tue, 08 Jul 2014 21:59:00 +0200 (CEST)
Hi everyone, 

In March, I gave a presentation at Troopers14 about new ideas for Remote OS detection / OS fingerprinting in IPv6. It 
can be found here: 
https://www.troopers.de/wp-content/uploads/2013/11/TROOPERS14-Remote_OS_Detection_with_IPv6-Mathias_Morbitzer.pdf

Now I would like to see some of those methods in Nmap. But before getting on it, I would like to discuss with you which 
methods are the most interesting to be implemented. 

There are some things which shouldn't be much work to implement, since Nmap already has most of the code which would be 
necessary. An example for this is the analysis of the IPv6 fragmentation ID sequence. All the code to detect the type 
of sequence (incremental, random, ...)  is already there, it just needs to be integrated into the OS detection. 

Then there are things which are in my opinion also a good idea to implement since they do not require any additional 
packets to be sent. An example for this is the analysis of the hop limit field, which is in any IPv6 packet received 
from the target, and can allow a basic distinction between different types of OSs (Windows, Unix, etc..) 

And then finally, there is my favorite method of this presentation, which is the fingerprinting by using ICMPv6 time 
exceeded messages. The thing I really like about this is that if we have for example a Windows system with an active 
firewall, we would still be able to determine that it's a windows system (based on the hop limit which I mentioned 
earlier). Furthermore, it is possible to detect if the system is running a version of windows older or newer/equal to 
Windows 7 based on the assignment of the fragment ID (incremental for < Windows 7, incremental by 2 for >= Windows 7). 

But of course, there are also a lot of other ideas in the presentation which trigger different responses from different 
OSs, such as playing around with the IPv6 extension headers.

Now that I shared with you my opinion about which methods would be interesting to implement, I am looking forward to 
other people's input. What seems like a good idea to implement, what not so much? 

Also, if you would like to implement something in Nmap but you don't know what, please get in touch with me. I would 
really like to see some of  those ideas in Nmap, but I don't know when I will have the time to implement them, so any 
help on this would be greatly appreciated! 
(Originally, I was counting on Sriharsha Karamchati to do the implementation, but we all know how that ended.... ) 


Looking forward to your input, 
Mathias
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: