Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SinFP OS fingerprinting

From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Tue, 31 May 2011 14:26:48 -0500
I had to install some packages via apt-get that wouldn't work through
CPAN, but I got it working.

I hit a Solaris box and got this from SinFP
---
$ time sudo sinfp.pl -i www.xxx.yyy.126
*** Net::Packet is obsolete, you will receive no support.
*** Now use Net::Frame::* modules.
P1: B11113 F0x12 W49312 O0204ffff M1460
P2: B11113 F0x12 W49232 O0101080affffffff444541440204ffff0103030001010402 M1460
P3: B01023 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2: Unix: SunOS: 5.10
IPv4: HEURISTIC0/P1P2: Unix: SunOS: 5.9

*** File [sinfp4-127.0.0.1.anon.pcap] generation done.
*** Please send it to sinfp () gomor org if you think this is not
*** the good identification, or if it is a new signature.
*** In this last case, please specify `uname -a' (or equivalent)
*** from the target host.

real    0m1.140s
user    0m1.052s
sys     0m0.084s
---

and this from nmap using the minimal options to detect OS
---
$ time sudo nmap -O www.xxx.yyy.126

Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 13:44 CDT
Nmap scan report for server.domain.com (www.xxx.yyy.126)
Host is up (0.0019s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
898/tcp   open  sun-manageconsole
1099/tcp  open  rmiregistry
5987/tcp  open  wbem-rmi
5988/tcp  open  wbem-http
10000/tcp open  snet-sensor-mgmt
13722/tcp open  netbackup
13782/tcp open  netbackup
13783/tcp open  netbackup
32768/tcp open  filenet-tms
OS fingerprint not ideal because: Host distance (6 network hops) is
greater than five
No OS matches for host
Network Distance: 6 hops

OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.69 seconds

real    0m32.727s
user    0m1.880s
sys     0m0.080s
---

Nmap was slower and less accurate in this instance.

So if you just want to know what OS something is running, SinFP is a
good tool (assuming your OS is in the database which will only get
better as time goes on).  It is both fast and quiet.
SinFP compliments nmap well, I think.  I found it much harder to
install than nmap because my vanilla perl installation was missing
most of the support modules it needed.

Just for fun, I kicked nmap up a few levels and got this
---
$ time sudo nmap -sSCUV -v -O
-pT:0-65535,U:58437,53,67,68,69,88,111,123,135,137,138,139,161,162,445,500,514,520,631,1433,1434,1812,1813,1900,4500,6481,49152-49161
--version-intensity 9 --reason --script '(safe and not broadcast and
not firewalk.nse),default,version,smtp-open-relay.nse' www.xxx.yyy.126

Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-31 13:48 CDT
Nmap scan report for server.domain.com (www.xxx.yyy.126)
Host is up, received reset (0.0017s latency).
Not shown: 65553 closed ports
Reason: 65518 resets and 35 port-unreaches
PORT      STATE SERVICE    REASON       VERSION
21/tcp    open  ftp        syn-ack      vsftpd 2.0.8 or later
| banner: 220-Authorized uses only. All activity may be monitored and rep
|_orted.\x0D\x0A220-\x0D\x0A220 server-mem FTP server ready.
22/tcp    open  ssh        syn-ack      SunSSH 1.1.1 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms (2)
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms (2)
|       ssh-rsa
|       ssh-dss
|   encryption_algorithms (3)
|       aes128-cbc
|       blowfish-cbc
|       3des-cbc
|   mac_algorithms (2)
|       hmac-sha1
|       hmac-md5
|   compression_algorithms (2)
|       none
|_      zlib
| ssh-hostkey: 1024 f8:88:96:9a:dc:15:90:04:22:dd:00:d9:da:7e:52:dd (DSA)
|_1024 b5:e7:ed:68:65:d2:4b:97:66:f8:35:a6:43:03:87:63 (RSA)
|_banner: SSH-2.0-Sun_SSH_1.1.1
80/tcp    open  http       syn-ack      Apache httpd
|_http-date: Tue, 31 May 2011 19:18:18 GMT; -1m02s from local time.
|_http-title: 403 Forbidden
| http-headers:
|   Date: Tue, 31 May 2011 19:18:18 GMT
|   Server: Apache
|   Content-Length: 202
|   Connection: close
|   Content-Type: text/html; charset=iso-8859-1
|
|_  (Request type: GET)
| http-methods: GET HEAD POST OPTIONS TRACE
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-malware-host: Host appears to be clean
665/tcp   open  sun-dr?    syn-ack
898/tcp   open  http       syn-ack      Solaris management console
server (Java 1.4.1_06; Tomcat 2.1; SunOS 5.9 sparc)
| http-methods: GET HEAD TRACE OPTIONS
| Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Solaris Management Console Server 2.1
|_http-malware-host: Host appears to be clean
| http-headers:
|   Date: Tue, 31 May 02011 19:18:17 GMT
|   Server: Tomcat/2.1
|   Content-Type: text/html
|   Content-Length: 3220
|   Servlet-Engine: Tomcat/2.1 (Java 1.4.1_06; SunOS 5.9 sparc;
java.vendor=Sun Microsystems Inc.)
|   Last-Modified: Mon, 15 Apr 02002 06:29:11 GMT
|
|_  (Request type: HEAD)
|_http-date: Tue, 31 May 02011 19:18:18 GMT; -1m02s from local time.
1099/tcp  open  jrmi       syn-ack      Java RMI
4080/tcp  open  http       syn-ack      Jetty httpd
|_http-malware-host: Host appears to be clean
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-title: Error 404 - Not Found
|_http-date: Tue, 31 May 2011 19:18:19 GMT; -1m01s from local time.
| http-headers:
|   Date: Tue, 31 May 2011 19:18:19 GMT
|   Server: Cyclone HTTP(S) Server
|   Connection: close
|   Content-Type: text/html
|   Content-Length: 930
|
|_  (Request type: GET)
4081/tcp  open  ssl/http   syn-ack      Jetty httpd
| ssl-cert: Subject: commonName=server-mem/organizationName=My Company
| Issuer: commonName=server-mem/organizationName=My Company
| Public Key type: rsa
| Public Key bits: 512
| Not valid before: 2006-04-11 18:15:40
| Not valid after:  2011-04-11 18:15:40
| MD5:   ba09 a4f7 caad b8db 6549 648f 9a75 9da3
|_SHA-1: 4555 d30b 4363 19ac 824e cbf3 b24e cb1a b2a0 278f
|_http-date: Tue, 31 May 2011 19:18:18 GMT; -1m02s from local time.
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-title: Error 404 - Not Found
| http-headers:
|   Date: Tue, 31 May 2011 19:18:20 GMT
|   Server: Cyclone HTTP(S) Server
|   Connection: close
|   Content-Type: text/html
|   Content-Length: 778
|
|_  (Request type: GET)
|_http-malware-host: Host appears to be clean
5987/tcp  open  ssl/jrmi   syn-ack      Java RMI
| ssl-cert: Subject: commonName=server-mem
| Issuer: commonName=server-mem
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2011-03-15 16:45:44
| Not valid after:  2012-03-14 16:45:44
| MD5:   10d6 88f8 3490 8bf9 fdc6 b7b2 fb84 4289
|_SHA-1: 978b 7d61 c608 bcf9 f856 a545 e796 12a6 049f 1ef8
5988/tcp  open  http       syn-ack      Java 1.4.1_06
http.transport.HttpServerConnection httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-malware-host: Host appears to be clean
|_http-date: Tue, 31 May 2011 19:18:18 GMT; -1m02s from local time.
| http-headers:
|   Content-Length: 0
|   Server: Java/1.4.1_06
javax.wbem.client.adapter.http.transport.HttpServerConnection
|   Date: Tue, 31 May 2011 19:18:18 GMT
|   Connection: close
|
|_  (Request type: GET)
10000/tcp open  http       syn-ack      MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-date: Tue, 31 May 2011 19:18:13 GMT; -1m07s from local time.
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-headers:
|   Date: Tue, 31 May 2011 19:18:18 GMT
|   Server: MiniServ/0.01
|   Connection: close
|   Set-Cookie: testing=1; path=/
|   pragma: no-cache
|   Expires: Thu, 1 Jan 1970 00:00:00 GMT
|   Cache-Control: no-store, no-cache, must-revalidate
|   Cache-Control: post-check=0, pre-check=0
|   Content-type: text/html; Charset=iso-8859-1
|
|_  (Request type: GET)
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
|_http-malware-host: Host appears to be clean
13722/tcp open  netbackup  syn-ack      Veritas Netbackup java listener
13724/tcp open  vnetd      syn-ack      Veritas Netbackup Network Utility
13782/tcp open  tcpwrapped syn-ack
13783/tcp open  tcpwrapped syn-ack
32768/tcp open  mdcommd    syn-ack      1 (rpc #100422)
34946/tcp open  jrmi       syn-ack      Java RMI
47273/tcp open  ssl/jrmi   syn-ack      Java RMI
| ssl-cert: Subject: commonName=server-mem
| Issuer: commonName=server-mem
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2011-03-15 16:45:44
| Not valid after:  2012-03-14 16:45:44
| MD5:   10d6 88f8 3490 8bf9 fdc6 b7b2 fb84 4289
|_SHA-1: 978b 7d61 c608 bcf9 f856 a545 e796 12a6 049f 1ef8
123/udp   open  ntp        udp-response NTP v4
| ntp-info:
|   receive time stamp: Tue May 31 14:18:23 2011
|   system: SunOS
|   leap: 0
|   stratum: 4
|   rootdelay: 58.26
|   rootdispersion: 307.98
|   peer: 59148
|   refid: 192.168.30.133
|   reftime: 0xd18fbd52.124c1000
|   poll: 7
|   clock: 0xd18fbd79.96ac1000
|   phase: 0.248
|   freq: 25790.01
|_  error: 128.02
OS fingerprint not ideal because: Host distance (6 network hops) is
greater than five
No OS matches for host
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: SunOS

Host script results:
|_path-mtu: PMTU == 1500
|_ipidseq: Unknown
| asn-query:
| BGP: www.xxx.yyy.0/22 | Country: US
|   Origin AS: 19134 - DOMAIN - My Company National Corporation
|_    Peer AS: 701 4323
| qscan:
| PORT  FAMILY  MEAN (us)  STDDEV   LOSS (%)
| 0     0       5004.10    2965.25  0.0%
| 21    0       7009.40    6061.22  0.0%
| 22    0       4814.56    3078.42  10.0%
| 80    0       5549.20    4596.80  0.0%
| 665   0       0.00       -0.00    100.0%
| 898   0       5084.00    3314.85  0.0%
| 1099  0       4160.00    1093.36  0.0%
| 4080  0       5277.70    2908.35  0.0%
|_4081  0       5043.40    3113.46  0.0%

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1877.91 seconds
          Raw packets sent: 81895 (3.606MB) | Rcvd: 65615 (2.626MB)

real    31m17.944s
user    0m5.320s
sys     0m2.684s
---

Yeah.  It took half an hour, but SinFP can't touch that amount of
information about a server.

The two tools solve different problems.

-Jason

On Tue, May 31, 2011 at 12:13 PM, David Fifield <> wrote:

On Tue, May 31, 2011 at 10:42:07AM -0500, DePriest, Jason R. wrote:

On Sat, May 28, 2011 at 8:32 AM, Brahim Sakka <> wrote:

Hi list,

Did anyone have a look at SinFP OS fingerprinter?
http://www.gomor.org/bin/view/Sinfp/DocOverview
It is claimed to "bypass Nmap limitations" and I don't like reading that
about Nmap :)


I'd love to test it out but I've been trying to get all of the
prerequisites installed via CPAN for about an hour now and I've come
up to one that won't install.

I am extremely curious to see how well it can ID an OS with just a
single three-way handshake.


It's actually three, not just one, TCP probes. They all go to the same
open port. The author has a point that this reduces the chance of
getting a mixed-up fingerprint when different ports for the same IP
address are handled by different machines. On the other hand, it loses
some discriminating power.

http://www.gomor.org/files/sinfp-jcv.pdf

When I tested it a little bit, its results were accurate but less
precise than Nmap's. For example, "2.6" is often all the information
available for a Linux version.

3|OSS|Linux|2.4.x|2.4.x|
4|OSS|Linux|2.6.x|2.6.x|
27|OSS|FreeBSD|6.1|6.x|BSD
61|Cisco|IOS|12.0|12.x|Router
125|HP|JetDirect|unknown|unknown|Printer

David Fifield


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: