Nmap Development mailing list archives
Re: U1 probe RUD test question
From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Apr 2009 17:29:51 -0600
On Thu, Apr 02, 2009 at 02:52:42PM -0400, Thomas Tavaris J (Tavaris) wrote:
I'm still looking at the quality of the tests that nmap sends and I have a question regarding the U1,RUD test. Why is this test producing a G value when wireshark, tshark, and tcpdump data shows no UDP data (from the probe) is contained in the encapsulated ICMP port unreachable packet? This is especially prevalent when scanning Cisco routers. The nmap-os-db file says Cisco IOS should report G for the RUD test. From my (limited) observations this hasn't been the case.
Thanks for bringing this up. There is a bug in the code that handles the U1.RUD test. Instead of checking that the payload is 300 bytes long and consists only of the character 'C', it only checks that every byte in the payload is 'C' without checking the length. So the test passes even for an empty payload. I'm going to fix this, which will cause some OS matches to break. We'll have to get new submissions to populate the database with correct values for the test.
Also the nmap-os-db file the MatchPoint value is 100 (which implies a high quality test). In my observations over 1650 values for G appear in the database but would also imply this test doesn't differentiate a lot of systems with this test value. Anyone have any insight?
MatchPoints isn't really a measure of the quality of a test in the sense of differentiating many different systems, it's a measure of how significant a difference is when it is observed. For instance, almost all systems return 0 for the T*.RD test, but a few system return a value that is highly unique to the OS. It's like this: running the test isn't likely to find a difference in an operating system, but if a difference in the test value is observed, then that is a strong differentiator of operating systems. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- U1 probe RUD test question Thomas Tavaris J (Tavaris) (Apr 02)
- Re: U1 probe RUD test question David Fifield (Apr 02)
- Re: U1 probe RUD test question David Fifield (Apr 02)
- Re: U1 probe RUD test question David Fifield (Apr 07)
- Re: U1 probe RUD test question David Fifield (Apr 02)
- Re: U1 probe RUD test question David Fifield (Apr 02)