Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Type and fingerprint -> template example

From: Fyodor <fyodor () dhp com>
Date: Wed, 30 Dec 1998 02:23:41 -0500 (EST)

Hello everyone,

First a quick note: In my 2.02 announcement I said "If you send in
fingerprints, please check them against your machines to make sure they
work."  That is an evil typo.  What I meant to say was "If you SENT in
fingerprints ...".  In otherwords, if you sent me prints before, it would
be useful if you rescan the machines with nmap 2.02 and make sure they are
detected correctly.  I did not mean to imply that you need to incorporate
prints into a working template before sending them to me.  Sending raw
fingerprints is useful and encouraged.

HOWEVER, should you wish to try the voodoo art of converting a print
into a template suitable for nmap-os-fingerprints, here is an example.

First we start with the following hairy fingerprint sent by Slawomir
Krawczyk <nises2 () ibb waw pl> earlier today:

TSeq(Class=RI%gcd=64%SI=166)
TSeq(Class=RI%gcd=64%SI=140)
TSeq(Class=RI%gcd=64%SI=161)
T1(Resp=Y%DF=N%W=2000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)

The very first line of your template simply gives the keyword
'FingerPrint' and\
 the OS name.  I don't know what OS this really is, so I will guess:

FingerPrint  GE SuperToaster V. 3.4

Next we look closely at the first three lines of the fingerprint:

TSeq(Class=RI%gcd=64%SI=166)
TSeq(Class=RI%gcd=64%SI=140)
TSeq(Class=RI%gcd=64%SI=161)

We see three lines because nmap got slightly different results of the
'TSeq' test for each try.  Note that numbers are in Hex.  The
differing part is the SI (sequencability index).  From his data, it
looks like SI should always be greater than 0xCC and less than 0xFFF .
We intentionally give this a very large range, since it can vary due
to network congestion issues.  With this range, we could merge those
three lines into this:

TSeq(Class=RI%gcd=64%SI=>CC&<FFF)

Another point is that 'gcd' (greatest common denominator)' is 64 in
our tests, but their is a small probability that it could be a small
multiple of 0x64.  If the remote computer spits out 5 numbers that are
"random" except that they are all multiples of 0x64, there is a 1/32
chance that they will all be multiples of 0xC8 (0x64 * 2) as well.
Thus we allow the gcd to be 0x64, 0xC8, 0x12C, 0x190 .  Our final test
line will be:

TSeq(Class=RI%gcd=64|C8|12C|190%SI=>CC&<FFF)

As you have probably picked up from the above '%' seperates a
sub-test, '|' means "or", and '&' means "and".  You cannot combine |
with & or use parenthesized expressions.

Now we look at the next line of the sig:

T1(Resp=Y%DF=N%W=2000%ACK=S++%Flags=AS%Ops=M)

Since there is only one 'T1', all three attempts agree for this test.
The only change we make is to eliminate the 'Resp=Y' because a lack of
response to this test usually means dropped packets and is (usually)
not a characteristic of the remote host.

Our final T1 line is:

T1(DF=N%W=2000%ACK=S++%Flags=AS%Ops=M)

Now we look at the next two lines:

T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)

These are not changed at all -- we do care about the Resp= for these
two tests.

The next line is

T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

All we do is remove Resp=Y to make:

T4(DF=N%W=0%ACK=O%Flags=R%Ops=)

Things get interesting with the next three lines:

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T5(Resp=N)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

In the second case we got no response (lost packet or timeout).  We
ignore this and use the a "real" response:

T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)

Like usual we removed Resp=Y .  We do the same for the next three
lines to form:

T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)

Now we just clump all the lines together into one fingerprint:

# Contributed by Slawomir Krawczyk <nises2 () ibb waw pl>
FingerPrint  GE SuperToaster V. 3.4
TSeq(Class=RI%gcd=64|C8|12C|190%SI=>CC&<FFF)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=0%ACK=O%Flags=AR%Ops=)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)

The final step is to stick this into nmap-os-fingerprints, then rescan
the host a few times and make sure it is always recognized.  Then
remember send it to me (fyodor () dhp com) so I can add it to the global
fingerprint file!

Also remember that you don't need to go through all this work -- if
you send the raw fingerprint I'll convert it for you.  I've done this
(literally) hundreds of times and so I can do it rather quickly.  I
thought I'd send this though since several people asked how to convert
them.  Also note that most fingerprints aren't this hairy.

Cheers,
Fyodor


--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community.  --Mitch Stone on Microsoft ActiveX
Previous By Date Next
Previous By Thread Next

Current thread: