Re: Nmap 4.20ALPHA2

[Brandon Enright <bmenrigh () ucsd edu>]

On Sat, 2006-06-24 at 21:17 -0700, Fyodor wrote:
> OK guys, let's just pretend ALPHA1 never happened :).  Here is ALPHA2:
... snip ...
> Please let me know if you find any problems with this one!  If you can
> patch the problem, that is best.  But even if you can't, just
> reporting a problem like "doesn't compile on <foo OS>, gives this
> error" will help us determine what to focus on.
>
> Cheers,
> -F

It looks like the TCP Sequence Prediction has changed significantly.
Hosts that were coming back in the "Good luck!" difficultly class with
randomish sequences are now classed as Easy/Medium.

A Linux 2.4 box that was coming back with:

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=1745946 (Good luck!)

Now comes back with:

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=22 (Easy)

A fully patched XP SP2 (no firewall) used to come back:

TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)

But now comes back:

TCP Sequence Prediction: Class=truly random
                         Difficulty=255 (Medium)

Has the sequence pattern matching improved in some way?  I suppose this
could be to make headroom for even more unpredictable TCP Sequences.  To
me "truly random" means impossible, not medium difficulty.  I see a
couple of comments in red in your fingerprinting methods paper but
nothing that would indicate this big a change.

Brandon




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev