IPv6 OS fingerprint integration highlights

[Daniel Miller <bonsaiviking () gmail com>]

As David pointed out in his talk at AISec [1], the IPv6 OS fingerprint
engine doesn't get nearly as many submissions. Since April, we received
only 9 fingerprint submissions! There are a few reasons this could be:

* People aren't scanning IPv6 systems. Even if you don't have IPv6 setup on
your network, you can often talk IPv6 to your LAN neighbors. Try using some
of the targets-ipv6-multicast-* NSE scripts to discover interesting things!

* There are relatively fewer IPv6 stacks out there. Every printer, switch,
or lightbulb out there speaks IPv4, so we get lots of interesting
submissions, but IPv6 submissions are pretty much all for the major desktop
and server OSs.

* The IPv6 engine is good at classifying things it hasn't seen before. This
means that Nmap is less likely to print a fingerprint and request
submission, even when something is different about the print that would
cause a mismatch under the IPv4 system. We should investigate printing a
submission prompt even when there's a good match if the novelty factor is
on the high end.

With that out of the way, here's what actually changed:

We added several features to the classifier which should produce more
precise matches:
* Add ICMPV6_TYPE and ICMPV6_CODE features for IPv6 OS detection.
http://seclists.org/nmap-dev/2015/q3/232
* Add TCP window/MSS ratio feature for IPv6 OS detection.
http://seclists.org/nmap-dev/2015/q2/103

VMware ESXi is no longer classified as ESX Server. This mirrors a change
from the IPv4 fingerprint integration.

New fingerprint groups:
* VMware ESXi 6.0.0
* Linux 4.0
* Apple Time Capsule NAS device

And a couple existing groups expanded to match new versions: Linux 3.19 and
Darwin 14.3.0.

Happy scanning!
Dan

[1] http://seclists.org/nmap-dev/2015/q4/54

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/