[script] os.nse: os detection in NSE [beta]

[majek04 <majek04+nmap-dev () gmail com>]

Hi!

I rewrote standard nmap os detection engine in Lua [1]. The only difference
is that os detection is executed for every open tcp port, rather than for host.
It uses nmap database nmap-os-db.

The code is still not perfect, but any feedback would be appreciated.

The simplest way to explain a thing is to show it in action:

~/nmap-osnse$ export NMAPDIR=.; sudo ./nmap -sS -p80,443 -n
--script=os.nse adobe.com -P0
Starting Nmap 4.53 ( http://nmap.org ) at 2008-03-31 13:52 CEST
Interesting ports on 192.150.18.117:
PORT     STATE    SERVICE
80/tcp   open     http
|_ os: HP 4000M ProCurve switch (J4121A) (91%), Asus WL-500gP wireless
broadband router (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP
wireless broadband router (84%)
443/tcp  open     https
|_ os: OpenBSD 4.0 (87%), Apple Mac OS 9.2 (87%), D-Link DWL-624+ or
TRENDnet TEW-432BRP wireless broadband router (84%)


A bit more debugging:

~/nmap-osnse$ export NMAPDIR=.; sudo ./nmap -sS -p80,443 -n
--script=os.nse adobe.com -P0 -d1
Interesting ports on 192.150.18.117:
PORT     STATE    SERVICE    REASON
80/tcp   open     http       syn-ack
|  os: HP 4000M ProCurve switch (J4121A) (91%), Asus WL-500gP wireless
broadband router (87%), D-Link DWL-624+ or TRENDnet TEW-432BRP
wireless broadband router (84%)
|      seq info: got packets=6 try=4/4 variance=21.031722
|      ECN(R=Y%DF=Y%TG=40%W=C1E8%O=M5B4NW0NNS%CC=Y%Q=)
|      T2(R=N)
|      T3(R=N)
|      T4(R=Y%DF=Y%TG=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)
|      SEQ(SP=108%GCD=1%ISR=108%TI=RD%TS=20%uptime=1 seconds)
|      OPS(O1=NNT11M5B4NW0NNS%O2=NNT11M5B4NW0NNS%
         O3=NNT11M5B4NW0%O4=NNT11M5B4NW0NNS%O5=NNT11M5B4NW0NNS%O6=NNT11M5B4NNS)
|      WIN(W1=C050%W2=8220%W3=50F4%W4=C050%W5=C068%W6=500D)
|_     T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
443/tcp  open     https      syn-ack
|  os: OpenBSD 4.0 (87%), Apple Mac OS 9.2 (87%), Microsoft Windows XP
Home SP1 (French) (86%)
|      seq info: got packets=6 try=1/1 variance=0.816497
|      ECN(R=Y%DF=Y%TG=FF%W=111C%O=M5B4NW0SLL%CC=N%Q=)
|      T2(R=N)
|      T3(R=N)
|      T4(R=Y%DF=Y%TG=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)
|      SEQ(SP=104%GCD=1%ISR=10B%TI=RD%TS=B%uptime=12.8 hours)
|      OPS(O1=M5B4NW0NNT11SLL%O2=M5B4NW0NNT11SLL%
         O3=M5B4NW0NNT11%O4=M5B4NW0NNT11SLL%O5=M5B4NW0NNT11SLL%O6=M5B4NNT11SLL)
|      WIN(W1=111C%W2=1068%W3=780%W4=111C%W5=648%W6=31B)
|_     T1(R=Y%DF=Y%TG=FF%S=O%A=S+%F=AS%RD=0%Q=)


Notes:
 - it's much less accurate than nmap's os detection, It uses only
   probes to open tcp ports, no udp/icmp probes.
 - SEQ scan needs exact timing, that's an issue in LUA.
   Sometimes LUA thread is waiting too long, that can affect the result.
   (look at the variance field while scanning with debugging enabled -d1.
    That field shows time drift in milliseconds)
   For example these lines are from one host:
      SEQ(SP=CA%GCD=1%ISR=D2%TI=Z%TS=8%uptime=1.3 months)  variance=2ms
      SEQ(SP=C7%GCD=1%ISR=CA%TI=Z%TS=8%uptime=1.3 months)  variance=20ms
      SEQ(SP=CC%GCD=1%ISR=D0%TI=Z%TS=8%uptime=1.3 months)  variance=2.5ms
      SEQ(SP=D0%GCD=1%ISR=D0%TI=Z%TS=8%uptime=1.4 months)   variance=0.8ms
  As you see, the values are quite similar, but unfortunately different
  signatures are matched to each of them.
 - lua threads aren't preemptive, and os.nse needs a lot of cpu to
match fingerprints.
   (on the other hand other parts of os.nse are very time-sensitive)
   I created code that should give back the cpu to main event loop every 8-10ms.
 - I included loop[2] lua library. It has the same license as LUA, so
it shouldn't be a problem to
   include it in nmap source.

Known issues:
  - it doesn't work on Leopard. I have very strange error, I'll write
separate message about it.
  - maybe the results could be more accurate. Anyone has the idea how to do it?



 Marek Majkowski


[1] sources are here:
$ svn co --username=guest --password=""
svn://svn.insecure.org/nmap-exp/majek04/nmap-6861 nmap-osnse
The code includes: os.nse script, sendip in lua  and minor change to
nse-pcap api.

[2] http://loop.luaforge.net/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org