Nmap Development mailing list archives
Re: Comments on OS detection 2nd generation (soft fingerprinting)
From: "Joshua D. Abraham" <jabra () ccs neu edu>
Date: Fri, 26 May 2006 15:26:56 -0400
On 26.May.2006 05:51PM +0000, Brandon Enright wrote:
On Fri, 2006-05-26 at 13:32 -0400, Joshua D. Abraham wrote:Joshua D. Abraham wrote:Just another method which might be interesting to consider.Sure, but banners are very easily forgeable.right, but that would require the user to recompile ssh on the system. I doubt many people would do this. Plus ubuntu is gaining alot of users who really wouldn't care less if it was identified. --JoshThere are many banners and port patterns that identify an OS if the user hasn't actively modified anything. Techniques that use banners and port patterns are very useful when you trust the target is not trying to be deceptive. I'm sure most would agree that using a SSH banner to say a box is some distro or tcp/3389 to say a box is something Windows has no place in Nmap's second-gen OS FP engine. What I would like to see though is a soft fingerprinting engine added. When users used -O or -A they would get the standard or second-gen engine which does not take into account any banners or ports opened/closed. If they used an option like '--soft-osfp' then Nmap would turn on checks that while can often really fine-tune a fingerprint, can also easily be forged. I've accomplished something similar to this with a Perl wrapper around Nmap. The script is how we detect different patch levels (MS0X-0XX) of windows within one version of of a release (XP, 2000, etc).
This is yet another reason why the user might want to actually be able to see the banner which relates to my patch I sent to the list recently. Josh
Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
-- Joshua D. Abraham Northeastern University College of Computer and Information Science www.ccs.neu.edu/home/jabra _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Comments on OS detection 2nd generation GomoR (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Brandon Enright (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 27)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 27)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)