[PATCH] Change to OS Fingerprint XML output

[Tom Sellers <nmap () fadedcode net>]

A couple of years ago I sent an email (1,2) describing how the OS fingerprint
was not being output in XML under the same conditions that it would be in Normal,
StdOut, etc.

I said I would submit a patch to address this, but apparently forgot...
So, some 2 years later....

Currently, OS fingerprints are only output to XML when verbosity or debugging
is turned on. As far as I can tell, after -O2 was introduced they have not been
output to XML even when an unknown OS was scanned.

I had come across this originally when building some network scanning and reporting
code.  I came across it again doing pretty much the same thing using Kris Katterjohn's
Ruby Nmap::Parser library. Good stuff, btw.

Anyway, I am now in a situation where I will need to enable verbosity on the output
to force the fingerprint to be written to XML and then write code to detect if a match
was found.  This would generate quite a bit more output and increase the complexity
of the code.  It would also mean that every host would have a fingerprint block
when the XML was viewed in a browser, even if there was a 100% match.

I think it would be better if nmap were to output the fingerprint to XML under the
same conditions that it would write it to normal, standard output, ScriptKidde, etc.

I want to preface the rest of this with the fact that I am not a C coder..

I have attached a patch I believe will make the change I have suggested.  I have
tested the patch in my environment against multiple OSes, some successfully identified
and some not. At this point, I am only really unsure about one portion of the code.

The original XML fp output code in output.cc is this:
*******************************************************************
  if (o.debugging || o.verbose) {
    char *xml_osfp = xml_convert(merge_fpr(FPR, currenths, reason != NULL, reason != NULL));
    log_write(LOG_XML,"<osfingerprint fingerprint=\"%s\" />\n", xml_osfp);
    free(xml_osfp);
  }
*******************************************************************


I deleted the block and moved the three core lines into 'write_merged_fpr' with the
goal of having them called anytime a fingerprint is written for other outputs.
*******************************************************************
static void write_merged_fpr(const FingerPrintResults *FPR,
                             const Target *currenths,
                             bool isGoodFP, bool wrapit) {
  log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT, "TCP/IP fingerprint:\n%s\n",
            merge_fpr(FPR, currenths, isGoodFP, wrapit));

  /* Added code here to print fingerprint to XML file any time it would be printed
     to any other output format  */
  char *xml_osfp = xml_convert(merge_fpr(FPR, currenths,  isGoodFP,  wrapit));
  log_write(LOG_XML,"<osfingerprint fingerprint=\"%s\" />\n", xml_osfp);
  free(xml_osfp);

}
*******************************************************************

I changed the parameters to merge_fpr for the XML related call from reason !=NULL to
isGoodFP and wrapit in order to be more in line with the other outputs. I am concerned
that the parameters to merge_fpr may need to stay the same as the original call.



Other than the above, there is only one other change in behavior that I am aware of.
Currently XML fingerprints are forced written at verbosity is 1 or higher, while other
formats are forced to write when verbosity is 2 or higher.  After the change they
would be the same at verbosity = 2 or higher.


Hopefully both the change in behavior and the patch will be accepted.  Any feedback
would be greatly appreciated.

Thanks,

Tom Sellers

(1) - http://seclists.org/nmap-dev/2006/q4/0317.html
(2) - http://seclists.org/nmap-dev/2006/q4/0319.html

Attachment: xml_fp_output_change.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org