Nmap Announce mailing list archives
OS fingerprinting technique
From: olivier courtay <olivier.courtay () intranode com>
Date: Thu, 18 Apr 2002 15:44:18 +0200
Carefully studying the way TCP works, especially some timer value inside the TCP stack, we have derived on a new technique for remote OS detection, based on temporal response analysis. The idea is quite simple: send a TCP SYN packet to an open port on a remote system, and listen the different answers (usually successive SYN/ACK packets). By measuring the number of response, the delay between retries, and the optional presence of a "RST" packet after a few answers, we can easily recognize some operating systems. The nice thing is that it only required to send one packet on an open TCP port, which make this method really quiet. As a proof of concept, we also developed a standalone tool "RING" that will perform these testings and identifications, using a signature file. A patch for Nmap-2.54BETA32 is being prepared and should be released anytime soon At the moment, ring and nmap OS fingerprinting methods are launched simulteamously but results aren't merged for better accuracy. If you want to try this patch, please send me an email(ring () intranode com). More information is available at: http://www.intranode.com/site/techno/techno_articles.htm The open source tool can be downloaded from: http://www.intranode.com/pdf/techno/ring-0.0.1.tar.gz The open source tool for Linux2.4 kernel can be downloaded from: http://www.intranode.com/pdf/techno/ring-0.0.1-Linux-2.4.tar.gz The full, 13 pages, white paper is available at: http://www.intranode.com/pdf/techno/ring-full-paper.pdf We will be very happy to get your feedback on this technique. Feel free to contact us at: ring () intranode com Thanks, Olivier -- ________________________________ Olivier Courtay Research Engineer tel: +33 (0) 223 455 524 fax: +33 (0) 223 455 501 mailto: olivier.courtay () intranode com http://www.intranode.com Intranode Software Technologies Security you can see. -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- OS fingerprinting technique olivier courtay (Apr 18)
- Re: OS fingerprinting technique olivier courtay (Apr 19)