IPv6 OS fingerprint integration highlights

[Daniel Miller <bonsaiviking () gmail com>]

IPv6 OS fingerprints get far fewer submissions than IPv4, but they are
steadily increasing. We had 97 submissions between June 2013 and February
2015.

Because of the way the IPv6 classifier's model is set up, we can rearrange
fingerprints and create new groups or modify old groups as we get more
information. One reorganization we did was to separate out Linux
fingerprints after 2.6.39 from those before it, since the initial TCP
Window size changed in that version, making it easy to distinguish.

Further highlights:

Apple Mac OS X 10.6.8 - 10.9.5 (Snow Leopard - Mavericks) or iOS 4.3.3 -
6.1.3 (Darwin 10.8.0 - 13.4.0)
Apple Mac OS X 10.10 (Yosemite) (Darwin 14.0.0)
  Similar to IPv4, Darwin's IPv6 stack is pretty constant between versions.
Fewer submissions means that we don't have new fingerprints for later iOS
versions. Yosemite is clearly different, though.

FreeBSD 7.4 - 8.2
  We chose to combine some of the individual FreeBSD fingerprints into one
group to make a stronger match. If we get more submissions, maybe we'll
find a way to split this according to version.

Here are the new OS classes:
Apple | Mac OS X | 10.10.X | general purpose
Apple | Mac OS X | 10.9.X | general purpose
Apple | iOS | 6.X | phone
Cisco | IOS XR || router
FreeBSD | FreeBSD | 10.X | general purpose
HP | HP-UX | 11.X | general purpose
Joyent | SmartOS || general purpose
Linux | Linux | 3.X | broadband router
Microsoft | Windows | 2003 | general purpose
Microsoft | Windows | 2012 | general purpose
Microsoft | Windows | 8.1 | general purpose
OpenBSD | OpenBSD | 5.X | general purpose
RIM | BlackBerry | 10.X | phone
SonicWALL | SonicOS | 5.X | firewall


Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/