Re: Nmap 5.61TEST2 released - IPv6 OS detection

[David Fifield <david () bamsoftware com>]

On Fri, Sep 30, 2011 at 11:45:18AM -0700, Fyodor wrote:
> Hi Folks!  Thanks to your IPv6 OS detection submissions, we've been
> able to incorporate them into the new machine learning system and
> enable IPv6 OS detection.  So if you scan your submitted machines
> again, they should now be properly identified in Nmap output.
>
> Of course the DB is still small, so if you get a fingerprint printed
> by Nmap, please do submit it.  Also, if the reported OS version is
> wrong (even just by a minor version number), please submit a
> correction at http://insecure.org/cgi-bin/submit.cgi?corr-os.
> Corrections are particularly important for this new machine learning
> system.

The IPv6 OS classifier works quite differently from the IPv4 one. I hope
that the classifier will offer more robust matching and (especially)
reduced maintenance.

The main thing to be aware of is that the IPv6 classifier is more likely
to make a guess when seeing an OS not exactly like one it has seen
before. The IPv4 classifier avoids printing a guess (unless you use
--osscan-guess) and asks you to submit instead. It's not as easy to know
when to ask for a submission in the new system. The plus side is that
you'll get OS results more often, but the downside is that when a result
is wrong it can be really wrong. I have some ideas for improving this,
but it will be a process taking time. The important thing is to send in
fingerprints when you see them (use -d if the guess is wrong).

If you want to see some of how the engine works inside, run with -d3.
One of the things you'll see is the raw scores for each of the known OS
classes:
        52.6999  56 Linux 2.6.32 - 3.0.0
        18.9517  52 Linux 2.6.35 - 2.6.39
        10.2107  54 Linux 2.6.32 - 2.6.35
         3.1143  53 Linux 2.6.38 - 2.6.39
         2.6010   8 Linux 2.6.11 - 2.6.15
         1.7468  45 Linux 2.6.18 - 2.6.30
         1.5075  43 AVM FRITZ!Box 7390 WAP or Cisco SA520 Security Appliance
         1.3501   5 Vyatta Core 6.3 (Linux 2.6.37)
         1.1511  14 Linux 2.6.27
        ...
You'll also see a really long line with the feature values extracted
from the probe responses:
        v = {40, 0, 40, 0, 40, 0, 40, 0, 40, 0, 36, 0, 128, 0, 88, 0, \
        -1, -1, -1, -1, 356, 0, 32, 0, -1, -1, 40, 0, 20, 0, 20, 0, 20, \
        0, 20, 0, 998374144.0958612, 32728, 0, 1, 0, 0, 1, 0, 0, 0, 0, ...
These numbers come straight out of the vectorize function in
FPEngine.cc. The engine scales this vector and takes its dot product
with each of the columns in FPmodel.cc. The column that gets the highest
value corresponds to the OS guess.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/