Nmap Development mailing list archives

Re: Fwd: Help needed: hunting down OS fingerprints

From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 07 Nov 2013 16:12:44 -0600

On 11/06/2013 02:56 PM, Jacek Wielemborek wrote:

Hi guys,

For the last three weeks so far I have been doing research on Internet
Census 2012 TCP/IP fingerprints data set. While my report is not yet
ready, I decided to share one of my findings with you earlier.

Today I grepped the data set looking for G=Y fingerprints. I noticed
that out of 80 million of fingerprints, only about 50 000 were
suitable for submission. I tried to match them against nmap-os-db from
r32431 and found that 32663 of them had no perfect matches and 11 had
none. Since they could be potentially useful for the Nmap Project, I
decided to share them with you.

I attach a link with the excerpts from original Internet Census 2012
data set. The first two columns are real IP addresses and timestamps -
I kept them in case they proved useful. The third column is a
comma-separated list of top three matches in format "LLL[AAA]", where
LLL is the line number in nmap-os-db r32431 (could be off by one) and
AAA is the accuracy percentage.

Perhaps we could improve the database by using alternative methods of
OS detection? One could for example try scanning the ports of the
targets or contacting the owners. It would be great to help in Nmap
development.

Yours,
Jacek Wielemborek

PS. The original attachment was too big (300kb), so I put the
uncompressed version online:

http://pastebin.com/d8hZtr1i
http://pastebin.com/A56rWk4v
http://pastebin.com/kSY95Wcx
http://pastebin.com/zW4M2cUY
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

List,

I took Jacek's data and put it on Github as CSV files. Github has a nicejavascript filtering system to make it easy to view. I also addedreverse-DNS names and resolved the line numbers to the fingerprint namesfor the most-likely match in each case.

Please spread the word! These systems have all yielded good-qualityfingerprints with no matches, so they would be excellent additions toour OS database. The more people hear about this, the more likelysomeone will submit a good fingerprint.


Github site: https://github.com/bonsaiviking/missing-os-fingerprints
Short url: http://tinyurl.com/missing-fp

Reddit:http://www.reddit.com/r/netsec/comments/1q4sh2/nmap_has_no_idea_what_os_these_32k_ips_are/

Twitter: https://twitter.com/bonsaiviking/status/398572902749978624

Thanks!
Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Fwd: Help needed: hunting down OS fingerprints Jacek Wielemborek (Nov 06)
- Re: Fwd: Help needed: hunting down OS fingerprints Daniel Miller (Nov 07)