Nmap Development mailing list archives
Re: Tracking down OS fingerprint bug
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 30 Oct 2013 09:30:17 -0500
On 10/29/2013 06:16 PM, David Fifield wrote:
On Tue, Oct 29, 2013 at 03:25:13PM -0500, Daniel Miller wrote:David, I'm trying to find out what process is resulting in fingerprints with lines like this: WIN(W1=FFFF%W2=FFFF%W1|W2|W3|W4|W5=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)I thought I posted an explanation for this, but it looks like it never made it to the mailing list.This looks like it's probably my fault--it looks like I was manually expanding the window scaling factors allowed from just W3 to W0 and W3. O1=M4ECNW3NNS → O1=M4ECNW0NNS|M4ECNW3NNS O2=M4ECNW3NNS → O2=M4ECNW0NNS|M4ECNW3NNS O3=M4ECNW3 → O3=M4ECNW0|M4ECNW3 etc. I probably did it with a replacement like s/\(\w*\)W3\(\w*\)/\1W0\2|\1W3\2/ The window scaling factor W3 happened to coincide with W3, a TCP window size.I'm 100% sure that's the cause. I'll bet you find most instances of the problem with FreeBSD, because in FreeBSD the window scaling factor comes in the middle of the options, and in Linux it comes at the end, so with Linux fingerprints I would rather use a replacement like s/\(\w+\)W3/\1W0|\1W3/ David
List,The issue with corrupted WIN lines in OS fingerprints () should be solved as of r32477. In all, 24 fingerprints had been corrupted. You may return to your regularly-scheduled scanning!
Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Tracking down OS fingerprint bug Daniel Miller (Oct 30)