Nmap Development mailing list archives
Re: SinFP 2.06, new signatures, benchmark results
From: doug () hcsw org
Date: Thu, 21 Dec 2006 14:48:23 -0800
On Thu, Dec 21, 2006 at 10:50:46AM -0800 or thereabouts, Fyodor wrote:
On Thu, Dec 21, 2006 at 01:19:52PM +0100, GomoR wrote:Also, two benchmarks versus Nmap have been done: http://www.phocean.net/index.php/post/2006/12/17/SinFP http://www.computerdefense.org/?p=173Independent benchmark results can be useful, but I'm afraid that those two are rather poor.
I agree that these benchmarks are over-all pretty poor. The first one seems to misunderstand how Nmap's OS detection works: "A program like Nmap usually scan all the open ports of a remote IP address. According to the answers it gets back on each port, and using a signature database, nmap can identify the target OS." The reality is, of course, that Nmap uses a series of specially crafted active packet probes AFTER a port scan and tries to determine the OS based on the target's reponses - much in the same way that SinFP does. As Fyodor mentioned, the second benchmark seems to have some critical implementation flaws. Also keep in mind that narrowly identifying an OS isn't always a sign that the system is working correctly - it could also mean that it's just not reporting the the less common systems with identical behaviours. SinFP is also a very good program but keep in mind that fundamentally it works the same as Nmap only with a different probe set and can also do passive OS fingerprinting in a similar manner to Zalewski's p0f program: http://lcamtuf.coredump.cx/p0f.shtml So while both Nmap and SinFP are excellent tools (and might have slight advantages over each other given certain NAT restrictions or lack thereof) Nmap also has another often overlooked OS detection mechanism: When you execute a version scan (-sV or -A) Nmap will also fingerprint *services* at the *application layer* which, it turns out, is often a fairly robust, reliable OS fingerprinting method. I rarely ever use -O on my own machines because of the verbose information most OpenSSH daemons are configured to give: $ ./nmap -sV -p 22 localhost Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-21 14:22 PST Interesting ports on localhost.localdomain (127.0.0.1): PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.4 (protocol 2.0) Service Info: OS: Linux Similarly, Mac OS is easily recognised at the application layer through AFP/Apple remote desktop VNC, Windows through SMB/IIS/Exchange/etc, AIX through its "kerberised" rsh and so on. Doug
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- SinFP 2.06, new signatures, benchmark results GomoR (Dec 21)
- Re: SinFP 2.06, new signatures, benchmark results Fyodor (Dec 21)
- Re: SinFP 2.06, new signatures, benchmark results doug (Dec 21)
- Re: SinFP 2.06, new signatures, benchmark results DePriest, Jason R. (Dec 21)
- Re: SinFP 2.06, new signatures, benchmark results GomoR (Dec 21)
- Re: SinFP 2.06, new signatures, benchmark results GomoR (Dec 21)
- Re: SinFP 2.06, new signatures, benchmark results doug (Dec 21)
- Re: SinFP 2.06, new signatures, benchmark results Fyodor (Dec 21)