Re: Tracking down OS fingerprint bug

[Daniel Miller <bonsaiviking () gmail com>]

On 10/29/2013 06:16 PM, David Fifield wrote:
> On Tue, Oct 29, 2013 at 03:25:13PM -0500, Daniel Miller wrote:
> > David,
> >
> > I'm trying to find out what process is resulting in fingerprints
> > with lines like this:
> >
> > WIN(W1=FFFF%W2=FFFF%W1|W2|W3|W4|W5=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)
> I thought I posted an explanation for this, but it looks like it never
> made it to the mailing list.
>
> > This looks like it's probably my fault--it looks like I was manually
> > expanding the window scaling factors allowed from just W3 to W0 and W3.
> >          O1=M4ECNW3NNS → O1=M4ECNW0NNS|M4ECNW3NNS
> >          O2=M4ECNW3NNS → O2=M4ECNW0NNS|M4ECNW3NNS
> >          O3=M4ECNW3 → O3=M4ECNW0|M4ECNW3
> >          etc.
> > I probably did it with a replacement like
> >          s/\(\w*\)W3\(\w*\)/\1W0\2|\1W3\2/
> > The window scaling factor W3 happened to coincide with W3, a TCP window
> > size.
> I'm 100% sure that's the cause. I'll bet you find most instances of the
> problem with FreeBSD, because in FreeBSD the window scaling factor comes
> in the middle of the options, and in Linux it comes at the end, so with
> Linux fingerprints I would rather use a replacement like
>         s/\(\w+\)W3/\1W0|\1W3/
>
> David
List,

The issue with corrupted WIN lines in OS fingerprints () should be 
solved as of r32477. In all, 24 fingerprints had been corrupted. You may 
return to your regularly-scheduled scanning!

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/