Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OS integration highlights

From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Jul 2013 14:15:33 -0700
On Thu, Jun 27, 2013 at 04:01:51PM -0500, Daniel Miller wrote:

Have you documented the process of integrating fingerprint
submissions anywhere? I'd like to get an understanding of how the
data are combined and ordered, and it would make a good continuity
document to increase the project's bus depth. Just something to
think about. Thanks for all the hard work!


I should write up the process some time. Here is a synopsis.

OS fingerprint submissions and corrections go in a big mbox file. I open
the mbox with mutt, having this in .muttrc:
        macro pager "p" "<pipe-message>/home/david/fp/OSassist<enter>"
        macro index "p" "<pipe-message>/home/david/fp/OSassist<enter>"
OSassist is probably the single most time-saving tool I've used (hours
saved over lifetime). It was written by Michael Pattrick for GSoC 2008.
Here are screenshots: https://www.bamsoftware.com/wiki/Nmap/OSIntegratorAssistantRequirements.
OSassist shows the top 10 matches (like what --osscan-guess shows you)
plus the parts that fail to match. Then I press 'm' to see a merge of
the currently selected fingerprint and the submitted one, press 'd' to
toggle viewing a diff and viewing the fingerprint, and 'f' to copy the
displayed fingerprint to the X11 clipboard. From there I can paste it
into vi and fill out the Fingerprint, Class, and CPE lines. But very
often all I do is make a minor modification to an existing fingerprint,
which I do manually in vi or by selectively pasting a line from
OSassist.

Submissions that lack any OS identification, and redundant perfect
matches (there are a lot of them), I get past in under 2 seconds. If I
have to modify a fingerprint slightly, it might take 30 seconds. I spend
1 or 2 minutes researching various hardware items, to make sure I get
the capitalization of the model number right and everything. I might
spend up to 10 minutes researching a previously unseen OS or an apparent
distinguisher in new versions (like the Linux 3.7 one in the last
highlights).

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: