OS/Service fingerprints

[Martin Kluge <martin () elxsi de>]

Hi list,

today I submitted some service and os fingerprintings. I scanned some
boxes in my local net, grepped for the submission URL, copied it,
opened my webbrowser, pasted the URL and filled out some fields, went back
to my nmap console, copied the service/os fingerprint and pasted it in my
browser. I think, you know what I mean. This is really stressfull if you want
to submit a lot of fingerprints.

Why not setup a simple fingerprinting daemon on insecure.org and add a submit
feature to nmap (this only works when your scan box is connected to the
internet of course, but I think most of the boxes are connected)?


Example:

bash-2.05b# nmap -sV -sS -O elxsi.de

Starting nmap 3.46 ( http://www.insecure.org/nmap/ ) at 2003-09-21 12:06 CEST
Insufficient responses for TCP sequencing (3), OS detection may be less accurate
Interesting ports on elxsi.de (62.208.141.119):
(The 1651 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 3.6 (protocol 1.99)
25/tcp   open  smtp    Qmail smtpd
53/tcp   open  domain  ISC Bind 9.2.2
80/tcp   open  http    Apache httpd 1.3.27 ((Unix) PHP/4.3.2)
110/tcp  open  pop3
3306/tcp open  mysql   MySQL 4.0.14

1 service unrecognized despite returning data:
SF-Port110-TCP:V=3.46%D=9/21%Time=3F6D7863%r(NULL,D,"\+OK\x20ready\x20\x20
SF:\r\n")%r(GenericLines,D,"\+OK\x20ready\x20\x20\r\n");

Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.1 (X86)

Would you like to submit this service fingerprint to insecure.org [yes/no]? yes

Please enter some missing information:

Service name: pop-3
Platform/OS: OpenBSD 3.1        (this could be taken from the above OS scan)
Service Description: qmail 1.03 pop3 daemon
Email: foo () bar com

Submitting...done.

Nmap run completed -- 1 IP address (1 host up) scanned in 63.361 seconds


The submit feature should be disabled by default I think, so the user won't be
stressed with entering information every time he simply wants to scan a box.


I also found another "problem". I OS-scanned a embedded device and got some
OS fingerprintings and nmap, as usual, suggested some possible devices:

Device type: terminal server|WAP|telecom-misc|specialized
Running: Copper Mountain embedded, 3Com embedded, TrueTime embedded, Compaq embedded
OS details: Embedded device: HP Switch, Copper Mountain DSL Concentrator, Compaq Remote Insight Lights-Out remote 
console card, 3Com NBX 25 phone system or Home Wireless Gateway, or TrueTime NTP clock


The device wasn't listed above and so I decided to submit a new OS fingerprint,
but couldn't find the URL for the OS fingerprint submissions easily (no link
on the homepage, at least I didn't find one, no URL in the nmap manpage, ...).

I think nmap should also print the submission URL if it already has some
possible operating systems for the specific fingerprint.


Only some thoughts of me (and sorry for my bad english) :)


Cheers,
Martin
-- 
Name      : Martin Kluge
email     : martin () elxsi info
Phone     : +49 160 1515182
Projects  : http://www.aa-security.de
GPG Key   : http://www.elxsi.de/key.pub

Attachment: _bin
Description: