Nmap Development mailing list archives
new OS detection techniques: synscan
From: Greg Taleck <taleck () nfr net>
Date: Fri, 7 May 2004 22:28:21 -0400 (EDT)
For those of you looking for perhaps more accurate ways to detect a remote host OS, I've written a tool that is able to inspect many different characteristics of a remote host. The tool is called synscan: http://synscan.sourceforge.net/ and only requires one open remote TCP port to perform its tests. It also modifies the local OS firewall ruleset to prevent the host stack from resetting "open" connections. It currently combines 16 different methods of analysis of a remote TCP/IP stack to produce an OS fingerprint: CC: Determines what Congestion Control algorithm is implemented on the remote host (i.e. Tahoe, Reno, etc.) CW: Determines the size of the initial Congestion Window used to manage data transfer in a TCP session DF: Determines when the DF-bit is set on a SYN-ACK packet F8: Determines whether a host accepts fragments with a MF=1 and a packet length not evenly divisible by 8 FP: Determines the fragmentation reassembly policy implemented by the remote host FT: Determines the FIN-ACK retranmit timeout values used HZ: Determines the timestamp hertz value if the remote host implements RFC 1323 extensions ID: Determines the algorithm used to set the IP Identification field in the IP header MS: Determines the default (assumed) value of the client MSS when no MSS option is sent in the TCP SYN segment PT: Determines the Payload retransmit timeout values (which may be different than the FT analysis) RT: Determines the SYN-ACK retransmit timeout values SN: Determines the algorithm used to set the Initial Sequence Number of the TCP session in the SYN-ACK TL: Determines the default IP TTL value set by tracerouting to the host TO: Determines how the remote TCP stack sets TCP options when given different options in the SYN segment TP: Determines the TCP segment reassembly policies used when overlapping TCP segments are sent to the host WS: Determines the algorithm used to set the initial window size in the TCP header Please see the project website for more details, including a white paper titled "SYNSCAN: Towards Complete TCP/IP Fingerprinting". Greg Taleck NFR Security, Inc. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- new OS detection techniques: synscan Greg Taleck (May 07)