Re: Comments on OS detection 2nd generation (soft fingerprinting)

["Joshua D. Abraham" <jabra () ccs neu edu>]

On 26.May.2006 08:38PM -0700, Fyodor wrote:

> On Fri, May 26, 2006 at 05:51:18PM +0000, Brandon Enright wrote:
> > On Fri, 2006-05-26 at 13:32 -0400, Joshua D. Abraham wrote:
> > >  
> > I'm sure most would agree that using a SSH banner to say a box is some
> > distro or tcp/3389 to say a box is something Windows has no place in
> > Nmap's second-gen OS FP engine.
>
> Agreed.  Not in the stack fingerprinting engine.
Agreed.
> > What I would like to see though is a soft fingerprinting engine added.
> > When users used -O or -A they would get the standard or second-gen
> > engine which does not take into account any banners or ports
> > opened/closed.
>
> Nmap actually does have that capability.  Doug added it last year.
> But the version detection signatures need to be augmented.  Look at Josh's mail:
Are you referring to my banner patch?

> > I had is that for ubuntu machines there is no way to turn off the
> > banner for ssh. Therefore, the response is
> > SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3 which clearly identifies
> > the machine as 2.6 since ubuntu doesn't have a version for 2.4.
>
> Here is the current match line:
>
> match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\S ]+)/i p/OpenSSH/ v/$2/ i/protocol $1/
>
> But I could you could add this more specific right above that line:
>
> match ssh m/^SSH-([.\d]+)-OpenSSH[_-](\S+ Debian-7ubuntu3)/i o/Linux/ p/OpenSSH/ v/$2/ i/protocol $1/
>
> Now Nmap will tell you that version detection thinks the OS is Linux.
> It will also print the stack fingerprinting OS detection results.  It
> is useful to have both separately rather than try to merge them,
> because of cases like a Checkpoint firewall which redirects
> port 22 to a Linux box.
>
> I added the signature above, but it is so specific that it won't do
> much on its own.  SSH is so common that we might want to do a survey
> of SSH banners on the internet and look at what information we can get
> from them.  Geez, if only I had a way to ask Nmap to run a small LUA
> script to quickly collect this information for each open port 22 it
> finds :).  But seriously, it wouldn't be very hard to do now.  Once
> you have all the banners, you could sort by frequency and write
> special signatures for all of the popular ones.
>
> An alternative to the scan would be to remove the space in "[\S ]" in
> the current generic match line.  Then people would start submitting
> these non-matches.  I don't think I can bear to break Nmap (even
> temporarily) like that when the SSH survey would be easy enough.  I'll
> add it to the possible TODO list.  Or if anyone else wants to take up
> this torch, you're welcome to!

I think that if the user could have access to the banner that
they would be able to determine this information more easily.
Again, I'm sure there might be other services say for windows or
something that might be of use as well. Therefore, if we had
people able to have the scan with the banner included in the xml
we could parse that in a survey or something.

Any chance, Fyodor to include the 4.03 version of the patch or
perhaps review it?

http://seclists.org/lists/nmap-dev/2006/Apr-Jun/0248.html

--Josh
> Cheers,
> -F

-- 
Joshua D. Abraham
Northeastern University
College of Computer and Information Science
www.ccs.neu.edu/home/jabra


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev