Re: Strange Fingerprint

[Trevor Elliott <trevor () galois com>]

Hi David,

Thanks for the reply.

Are the results (SEQ etc.) different because the network stack was returning different results for the repeated tests?  
I noticed that if I scan my linux dev machine, I don't see any repeated tests in the fingerprint, so I was wondering if 
I had made an error during my implementation of HaNS :)

Thanks!

--trevor

On Sep 8, 2014, at 14:55, David Fifield <david () bamsoftware com> wrote:

> On Mon, Sep 08, 2014 at 10:58:01AM -0700, Trevor Elliott wrote:
> > Hi Everyone,
> >
> > I'm scanning a custom-built network stack, and am getting some
> > strange results in the fingerprint.  It ends up with multiple results
> > for the SEQ tests as well as a few others, which I wasn't sure how to
> > interpret:
> >
> > TCP/IP fingerprint:
> > OS:SCAN(V=6.45%E=4%D=9/8%OT=9001%CT=1%CU=40625%PV=Y%DS=1%DC=D%G=Y%M=525400%
> > OS:TM=540DE55C%P=x86_64-redhat-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=RD%CI=
> > OS:RI%TS=22)SEQ(CI=RI%II=RI)SEQ(CI=RD)OPS(O1=M5B4NNSNW3NNT11%O2=M5B4NNSNW3N
> > OS:NT11%O3=M5B4NW3NNT11%O4=M5B4NNSNW3NNT11%O5=M5B4NNSNW3NNT11%O6=M5B4NNSNNT
> > OS:11)WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)ECN(R=Y%DF=Y%T=44
> > OS:%W=4000%O=M5B4NNSNW3NNLL%CC=N%Q=)ECN(R=N)T1(R=Y%DF=Y%T=44%S=O%A=S+%F=AS%
> > OS:RD=0%Q=)T1(R=N)T2(R=N)T3(R=Y%DF=Y%T=44%W=4000%S=O%A=S+%F=AS%O=M5B4NNSNW3
> > OS:NNT11%RD=0%Q=)T3(R=N)T4(R=Y%DF=Y%T=3B%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T5(R=Y
> > OS:%DF=Y%T=44%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=44%W=0%S=A%A=S%F=A
> > OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=44%W=3908%S=O%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
> > OS:N%T=FC%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%C
> > OS:D=S)
>
> If you run with --osscan-guess, you will get guesses instead of a
> fingerprint. For me they are:
>
> 94% 72135 OpenBSD 5.0 - 5.5 (OpenBSD | OpenBSD | 5.X | general purpose)
> 92% 71686 OpenBSD 4.4 (OpenBSD | OpenBSD | 4.X | general purpose)
> 91% 71777 OpenBSD 4.4 - 4.5 (OpenBSD | OpenBSD | 4.X | general purpose)
> 91% 72053 OpenBSD 4.9 - 5.1 (OpenBSD | OpenBSD | 4.X | general purpose)
>
> You get multiple SEQ lines because the OS test is done multiple times in
> preparation for making a fingerprint. Actually, there are multiple of
> all the other lines too, but Nmap removes lines that are exact
> duplicates before serializing the fingerprint.
>
> You should submit the fingerprint along with the exact version number of
> the network stack, so that it will be detected by a future version of
> Nmap.
>
> David Fifield
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

Attachment: smime.p7s
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/