Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question Regarding Passive Fingerprinting

From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Tue, 25 Aug 2009 00:49:01 -0500
Bill Stearns' passer.py tool does passive fingerprinting
(http://www.stearns.org/passer/) on top of scapy.

Among other things, it uses nmap's service fingerprint database.  I
believe it relies on p0f for OS detection.  It also uses some files
from arp-scan, wireshark, and ettercap.

-Jason

On Sun, Aug 23, 2009 at 1:09 PM, Jay Fink<> wrote:

Ron,

Thanks for the pointer - that answers the question precisely. It was
what I was thinking while I was drafting the email :)
that is that nmap isn't really designed for passive fingerprinting -
but there are plenty of other tools that are.

j


On Sun, Aug 23, 2009 at 2:06 PM, Ron<> wrote:

On 08/23/2009 01:03 PM, Jay Fink wrote:


Hello,

I have a question/suggestion regarding a capability I discussed with a
coworker recently. Essentially I was asked if something like this
sounded feasible:

   Have nmap run as a daemon which reads packets passively then
reports the service based on port/strings/payload/whatever...

Well - that is the short short version; my response was:

   I would think ncat would be where something like that would be
employed or nse; the steps might be instead of trying to do it all
live something more akin to perhaps session recording then post
processing (or processing in transit) the information.

My questions are really two:

 - does the nmap suite do this already?
 - and if not; was I even close to the mark? :)

Thanks,
    Jay


I can't answer your question well, but I can point you to this chapter in
the Nmap book, "Fingerprinting Methods avoided by Nmap". It talks about
fingerprinting methods that Nmap avoids and why, and it includes a section
on passive fingerprinting:

http://nmap.org/book/osdetect-other-methods.html

Ron

--
Ron Bowes
http://www.skullsecurity.org/





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: