Re: TCP window, options information

[David Fifield <david () bamsoftware com>]

On Sat, Sep 24, 2011 at 11:20:25PM +0400, Vasiliy Kulikov wrote:
> Hi,
>
> Is there any way to get raw target TCP stack information like initial
> window size, specific TCP options support?  Most of this information
> should be already known after OS fingerprint if at least one opened port
> is found.  However, I cannot find any reference neither in documentation
> nor in NSE scripts.  I might simply miss it, but probably the output of
> TCP stack info is not implemented yet?

That information is not available to NSE. It hasn't been implemented.
But also, it might be ambiguous. Some operating systems have different
initial window sizes for different probes, for example (see W1-W6):

Fingerprint 3Com Baseline Switch 2250-SFP Plus
Class 3Com | embedded || switch
WIN(W1=43E0%W2=4110%W3=423C%W4=43E0%W5=4180%W6=403D)

I have also seen the same OS send different TCP options (particularly
FreeBSD). Notice how the MSS differs in each response, and how O6 is
missing the "W" window scale.

Fingerprint FreeBSD 7.0-CURRENT
Class FreeBSD | FreeBSD | 7.X | general purpose
OPS(O1=M5B4NW8NNT11%O2=M578NW8NNT11%O3=M280NW8NNT11%O4=M3FD8NW8NNT11%O5=M218NW8NNT11%O6=M109NNT11)

The answer for you might be to send your own probe so that results are
consistent.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/