Nmap Development mailing list archives
[script] os.nse: os detection in NSE [beta]
From: majek04 <majek04+nmap-dev () gmail com>
Date: Mon, 31 Mar 2008 14:09:47 +0200
Hi! I rewrote standard nmap os detection engine in Lua [1]. The only difference is that os detection is executed for every open tcp port, rather than for host. It uses nmap database nmap-os-db. The code is still not perfect, but any feedback would be appreciated. The simplest way to explain a thing is to show it in action: ~/nmap-osnse$ export NMAPDIR=.; sudo ./nmap -sS -p80,443 -n --script=os.nse adobe.com -P0 Starting Nmap 4.53 ( http://nmap.org ) at 2008-03-31 13:52 CEST Interesting ports on 192.150.18.117: PORT STATE SERVICE 80/tcp open http |_ os: HP 4000M ProCurve switch (J4121A) (91%), Asus WL-500gP wireless broadband router (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP wireless broadband router (84%) 443/tcp open https |_ os: OpenBSD 4.0 (87%), Apple Mac OS 9.2 (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP wireless broadband router (84%) A bit more debugging: ~/nmap-osnse$ export NMAPDIR=.; sudo ./nmap -sS -p80,443 -n --script=os.nse adobe.com -P0 -d1 Interesting ports on 192.150.18.117: PORT STATE SERVICE REASON 80/tcp open http syn-ack | os: HP 4000M ProCurve switch (J4121A) (91%), Asus WL-500gP wireless broadband router (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP wireless broadband router (84%) | seq info: got packets=6 try=4/4 variance=21.031722 | ECN(R=Y%DF=Y%TG=40%W=C1E8%O=M5B4NW0NNS%CC=Y%Q=) | T2(R=N) | T3(R=N) | T4(R=Y%DF=Y%TG=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=) | SEQ(SP=108%GCD=1%ISR=108%TI=RD%TS=20%uptime=1 seconds) | OPS(O1=NNT11M5B4NW0NNS%O2=NNT11M5B4NW0NNS% O3=NNT11M5B4NW0%O4=NNT11M5B4NW0NNS%O5=NNT11M5B4NW0NNS%O6=NNT11M5B4NNS) | WIN(W1=C050%W2=8220%W3=50F4%W4=C050%W5=C068%W6=500D) |_ T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=) 443/tcp open https syn-ack | os: OpenBSD 4.0 (87%), Apple Mac OS 9.2 (87%), Microsoft Windows XP Home SP1 (French) (86%) | seq info: got packets=6 try=1/1 variance=0.816497 | ECN(R=Y%DF=Y%TG=FF%W=111C%O=M5B4NW0SLL%CC=N%Q=) | T2(R=N) | T3(R=N) | T4(R=Y%DF=Y%TG=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=) | SEQ(SP=104%GCD=1%ISR=10B%TI=RD%TS=B%uptime=12.8 hours) | OPS(O1=M5B4NW0NNT11SLL%O2=M5B4NW0NNT11SLL% O3=M5B4NW0NNT11%O4=M5B4NW0NNT11SLL%O5=M5B4NW0NNT11SLL%O6=M5B4NNT11SLL) | WIN(W1=111C%W2=1068%W3=780%W4=111C%W5=648%W6=31B) |_ T1(R=Y%DF=Y%TG=FF%S=O%A=S+%F=AS%RD=0%Q=) Notes: - it's much less accurate than nmap's os detection, It uses only probes to open tcp ports, no udp/icmp probes. - SEQ scan needs exact timing, that's an issue in LUA. Sometimes LUA thread is waiting too long, that can affect the result. (look at the variance field while scanning with debugging enabled -d1. That field shows time drift in milliseconds) For example these lines are from one host: SEQ(SP=CA%GCD=1%ISR=D2%TI=Z%TS=8%uptime=1.3 months) variance=2ms SEQ(SP=C7%GCD=1%ISR=CA%TI=Z%TS=8%uptime=1.3 months) variance=20ms SEQ(SP=CC%GCD=1%ISR=D0%TI=Z%TS=8%uptime=1.3 months) variance=2.5ms SEQ(SP=D0%GCD=1%ISR=D0%TI=Z%TS=8%uptime=1.4 months) variance=0.8ms As you see, the values are quite similar, but unfortunately different signatures are matched to each of them. - lua threads aren't preemptive, and os.nse needs a lot of cpu to match fingerprints. (on the other hand other parts of os.nse are very time-sensitive) I created code that should give back the cpu to main event loop every 8-10ms. - I included loop[2] lua library. It has the same license as LUA, so it shouldn't be a problem to include it in nmap source. Known issues: - it doesn't work on Leopard. I have very strange error, I'll write separate message about it. - maybe the results could be more accurate. Anyone has the idea how to do it? Marek Majkowski [1] sources are here: $ svn co --username=guest --password="" svn://svn.insecure.org/nmap-exp/majek04/nmap-6861 nmap-osnse The code includes: os.nse script, sendip in lua and minor change to nse-pcap api. [2] http://loop.luaforge.net/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [script] os.nse: os detection in NSE [beta] majek04 (Mar 31)