Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Request: IPv6 OS fingerprints needed desperately

From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 9 Feb 2016 10:20:21 -0600
Hi, List!

I've been doing the latest round of IPv6 OS fingerprint integration, and it
has become clear that we desperately need more fingerprints. I'm trying to
split some of the big fingerprint groups (like "Apple Mac OS X 10.6.8 -
10.9.5 (Snow Leopard - Mavericks) or iOS 4.3.3 - 6.1.3 (Darwin 10.8.0 -
13.4.0)") into smaller groups, since they can clearly be distinguished
based on the TCP window scale option value. But the classification engine
doesn't seem to like that: it won't give high enough weight to those groups
that have only a one or two component fingerprints if there are others with
more prints that are similar.

I believe the solution is to include more fingerprints, but we only
received 12 submissions in the last 3 months, compared to over 500 IPv4
fingerprints in the same period. Even with the 4 OS X prints I was able to
collect myself, we still have some very anemic groups.

Since OS X is the only OS that is exhibiting this problem at the moment, I
am asking for your help to collect OS X fingerprints, even if the version
of Nmap you currently have can match them correctly (using -d or -v2 will
show the print even if it matched). Here's what we have; I'm hoping to get
at least 6 prints in each category:

Remote (targeting an IP address that doesn't start with fe80::) and
directly-connected scans (sudo nmap -6 -O -d -F -e en0 --script
targets-ipv6-multicast-* --script-args newtargets):
* 10.6 (Snow Leopard), 10.7 (Lion) - 8
* 10.8 (Mountain Lion), 10.9 (Mavericks) - 3
* 10.10 (Yosemite), 10.11 (El Capitan) - 4

Localhost scans (sudo nmap -6 -O -d -F localhost):
* 10.6 (Snow Leopard), 10.7 (Lion) - 4
* 10.8 (Mountain Lion), 10.9 (Mavericks) - 1
* 10.10 (Yosemite), 10.11 (El Capitan) - 3

I'm especially eager to get Mountain Lion fingerprints, since we actually
don't have any of those. I've included it with Mavericks above, since both
seem to use a TCP Window Scale value of 4 in IPv4 fingerprints.

Of course, any fingerprints are beneficial. I'm working on tweaking Nmap's
code so that it will ask at random for a submission of already-matching
fingerprints, especially if they have a high novelty score indicating that
they are very different-looking. For now, I'd say we could even handle the
volume if *every* matched print was submitted. Very few groups have more
than 5 prints, and those are pretty much all Linux.

Thanks for your help!
Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: