Nmap Development mailing list archives
Re: [Patch] Improving OS Detection
From: John <nmap-dev () johnbond org>
Date: Mon, 07 Jul 2014 11:55:45 +0200
On 07/07/14 11:40, John wrote:
On 04/07/14 21:45, Daniel Miller wrote:On Fri, Jul 4, 2014 at 1:46 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote: If anyone else has ideas on how to avoid choosing ports that are actually responses by a firewall, I'd welcome them. This goes for TCP ports in open and closed states, and closed UDP ports (ICMP Port Unreachable responses).I normally use the TTL to try and determined if the repose is coming from a middle box. This type of stuff is no longer my day job but i never came across a middle box that faked the TTL of the destination. That said like everything NAT is a bitch. if the middle box is also the NAT device (which is common) then the TTL is always going to be equal to the middle box. So not perfect but might be something else to consider in the classification.
Actually im not sure that last bit about nat is true. I'm sure NAT will confuse things but i think NAT devices will just change source and/or destination fields as appose to writing a completely new ip header. John _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Patch] Improving OS Detection Jay Bosamiya (Jul 03)
- Re: [Patch] Improving OS Detection Daniel Miller (Jul 04)
- Re: [Patch] Improving OS Detection John (Jul 07)
- Re: [Patch] Improving OS Detection john (Jul 07)
- Re: [Patch] Improving OS Detection John (Jul 07)
- Re: [Patch] Improving OS Detection John (Jul 07)
- Re: [Patch] Improving OS Detection Daniel Miller (Jul 29)
- Re: [Patch] Improving OS Detection Daniel Miller (Jul 04)