Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Extension header features (NH and HLEN) for IPv6 OS detection

From: David Fifield <david () bamsoftware com>
Date: Thu, 11 Jun 2015 11:12:49 -0700
IPv6 OS detection does not yet use the chain of extension headers as a
feature (except indirectly through PLEN, the packet length feature).
Here is a draft patch to add NH_0–3 and HLEN0–3 features (Next Header
and length of the first 4 headers, including the IPv6 header itself).

Unfortunately, it doesn't seem to produce much information. There is
only one fingerprint in the database, "Cisco 3750G switch", that ever
uses an NH value that is not TCP (6) or ICMPv6 (58). It happens to add a
hop-by-hop header before its ICMPv6 header.

In the other cases, all we learn from NH is that TCP probes get a TCP
response, and other probes get an ICMPv6 response---most of the time.
Here are the *.NH_0 features for a couple of Linux fingerprints:

S1  S2  S3  S4  S5  S6 IE1 IE2  NS U1 TECN  T2  T3  T4  T5  T6  T7
 6,  6,  6,  6,  6,  6, 58, 58, UN, 58,  6, UN,  6,  6,  6,  6,  6    Linux 2.6.38 - 3.2
 6,  6,  6,  6,  6,  6, 58, UN, UN, 58,  6, UN,  6,  6,  6,  6,  6    Linux 2.6.38 - 3.2

There are some exceptions, like these Linuxes that responded with ICMPv6
to certain TCP probes:

S1  S2  S3  S4  S5  S6 IE1 IE2  NS U1 TECN  T2  T3  T4  T5  T6  T7
 6,  6,  6,  6,  6,  6, 58, UN, UN, 58,  6, 58, 58,  6,  6,  6, 58    Linux 2.6.23 - 2.6.32
 6,  6,  6,  6,  6,  6, 58, UN, UN, UN,  6, 58, UN,  6,  6,  6,  6    Linux 3.13 - 3.19

The HLEN features are even less informative, simply returning 40 for the
IPv6 header (and the rest is covered by the PLEN feature). The only
exception is the aforementioned Cisco 3750G, which sends a 8-byte
hop-by-hop header.

I attached some dumps of the feature values for our current nmap.groups
file. "MI" is MISSING and "UN" is UNKNOWN. The files for _2 and _3
features are identical because the chain of headers runs out. I
generated these outputs with a script like:

    PROBES = ("S1", "S2", "S3", "S4", "S5", "S6", "IE1", "IE2", "NS", "U1", "TECN", "T2", "T3", "T4", "T5", "T6", "T7",)
    groups = parse.parse_groups_file("nmap.groups")
    for group in groups:
        for rs in group.rs_list:
            features = vectorize.vectorize([p + ".NH_0" for p in PROBES], rs)
            print ", ".join([str(x)[:2].rjust(2) for x in features]) + "    " + group.desc.nmapname

Attachment: 0001-Add-vectorization-of-NH-and-HLEN-features.patch
Description:

Attachment: nh_0.txt
Description:

Attachment: nh_1.txt
Description:

Attachment: nh_2.txt
Description:

Attachment: nh_3.txt
Description:

Attachment: hlen_0.txt
Description:

Attachment: hlen_1.txt
Description:

Attachment: hlen_2.txt
Description:

Attachment: hlen_3.txt
Description: 

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: