Comments on OS detection 2nd generation

[GomoR <nmap-hackers () gomor org>]

Fyodor, 

I read your paper on OS fingerprinting 2nd generation. To be frank, I do not
see major changes in probe packets (but it may be because of my lack of deep
knowledge upon the 1st generation). 

I have some comments, though (in no particuliar order). 

1. MSS/Window size 

I quote your paper:
"MSS values have changed due to evidence that they can affect the returned
window size on some platforms." 

Yes, in fact, by reading the Linux IP stack source (as far as I remember),
one can see that the window size is computed using the MSS value (when
available). Since an equipment from the source to the target may change the
MSS in-between, the initial Window size in the reply will be changed.
That is the main reason for SinFP to use a heuristic1 algorithm, that is
to accept minor changes on MSS/Window size, and still not miss the 
detection. 

I have seen many different systems that work that way, there may be a
RFC talking about that. 

2. SackOK 

That is a difference with the first generation. I guess you found this
option by looking at SinFP ;) and you're right to use it. It permits to
differentiate Windows 98SE (which implements this) with Windows NT 4.0
(which does not). 

Same is true for the difference between SunOS 5.6 and 5.7 (5.6 does not
implement it, 5.7 does). 

3. TCP ack and seq comparison against probes 

I find this one particularly interresting, so I decided to take a look.
While there is rarely a difference from an OS version to another, there
are indeed some differences between an OS to another. So, I decided to
add it to SinFP (for upcoming 2.00 release). 

I also decided to take a look at adding the same functionnality with IP ID.
And there is also some differences from an OS to another. For example,
Compaq Tru64 returns the same IP ID as the request when one send a SYN|ACK
to an open port. In fact, Compaq Tru64 copies TCP seq/ack and IP ID from
the request, and use it to reply. This is the only system to do this that
I've seen. 

So, I think you could add IP ID comparison to the 2nd generation OSFP like
you did with TCP seq and ack. 

4. ICMP/UDP probes 

I do not like these probes just because when a target has an open TCP port,
we are not totally assured that a firewall in-between is not crafting
responses for these tests. So, you may end up with a fingerprint generated
in part from the true target, and in part from a false target, leading to
a bad detection. 

5. Absence of response (Responsiveness test) 

I think this is also a difference with the first generation, and I totally
agree with this change. 

6. Last remark 

In the http://www.insecure.org/nmap/osdetect/osdetect-other-methods.html
page, I did not see a note on SinFP (passive mode OS detection). Maybe
you did not tried it, but I thing it is as good as p0f, with more
signatures, since SinFP passive signatures are the active signatures. 

 --
 ^  ___  ___             http://www.GomoR.org/          <-+
 | / __ |__/          Systems & Security Engineer         |
 | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
 +-->  Net::Packet <=> http://search.cpan.org/~gomor/  <--+ 



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev