Nmap Development mailing list archives
Re: Nmap 5.61TEST2 released - IPv6 OS detection
From: David Fifield <david () bamsoftware com>
Date: Fri, 30 Sep 2011 19:26:11 -0700
On Fri, Sep 30, 2011 at 11:45:18AM -0700, Fyodor wrote:
Hi Folks! Thanks to your IPv6 OS detection submissions, we've been able to incorporate them into the new machine learning system and enable IPv6 OS detection. So if you scan your submitted machines again, they should now be properly identified in Nmap output. Of course the DB is still small, so if you get a fingerprint printed by Nmap, please do submit it. Also, if the reported OS version is wrong (even just by a minor version number), please submit a correction at http://insecure.org/cgi-bin/submit.cgi?corr-os. Corrections are particularly important for this new machine learning system.
The IPv6 OS classifier works quite differently from the IPv4 one. I hope that the classifier will offer more robust matching and (especially) reduced maintenance. The main thing to be aware of is that the IPv6 classifier is more likely to make a guess when seeing an OS not exactly like one it has seen before. The IPv4 classifier avoids printing a guess (unless you use --osscan-guess) and asks you to submit instead. It's not as easy to know when to ask for a submission in the new system. The plus side is that you'll get OS results more often, but the downside is that when a result is wrong it can be really wrong. I have some ideas for improving this, but it will be a process taking time. The important thing is to send in fingerprints when you see them (use -d if the guess is wrong). If you want to see some of how the engine works inside, run with -d3. One of the things you'll see is the raw scores for each of the known OS classes: 52.6999 56 Linux 2.6.32 - 3.0.0 18.9517 52 Linux 2.6.35 - 2.6.39 10.2107 54 Linux 2.6.32 - 2.6.35 3.1143 53 Linux 2.6.38 - 2.6.39 2.6010 8 Linux 2.6.11 - 2.6.15 1.7468 45 Linux 2.6.18 - 2.6.30 1.5075 43 AVM FRITZ!Box 7390 WAP or Cisco SA520 Security Appliance 1.3501 5 Vyatta Core 6.3 (Linux 2.6.37) 1.1511 14 Linux 2.6.27 ... You'll also see a really long line with the feature values extracted from the probe responses: v = {40, 0, 40, 0, 40, 0, 40, 0, 40, 0, 36, 0, 128, 0, 88, 0, \ -1, -1, -1, -1, 356, 0, 32, 0, -1, -1, 40, 0, 20, 0, 20, 0, 20, \ 0, 20, 0, 998374144.0958612, 32728, 0, 1, 0, 0, 1, 0, 0, 0, 0, ... These numbers come straight out of the vectorize function in FPEngine.cc. The engine scales this vector and takes its dot product with each of the columns in FPmodel.cc. The column that gets the highest value corresponds to the OS guess. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap 5.61TEST2 released - IPv6 OS detection, CPE, 30 more scripts, and more! Fyodor (Sep 30)
- Re: Nmap 5.61TEST2 released - IPv6 OS detection David Fifield (Sep 30)