Nmap Development mailing list archives
Request: IPv6 OS fingerprints needed desperately
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 9 Feb 2016 10:20:21 -0600
Hi, List! I've been doing the latest round of IPv6 OS fingerprint integration, and it has become clear that we desperately need more fingerprints. I'm trying to split some of the big fingerprint groups (like "Apple Mac OS X 10.6.8 - 10.9.5 (Snow Leopard - Mavericks) or iOS 4.3.3 - 6.1.3 (Darwin 10.8.0 - 13.4.0)") into smaller groups, since they can clearly be distinguished based on the TCP window scale option value. But the classification engine doesn't seem to like that: it won't give high enough weight to those groups that have only a one or two component fingerprints if there are others with more prints that are similar. I believe the solution is to include more fingerprints, but we only received 12 submissions in the last 3 months, compared to over 500 IPv4 fingerprints in the same period. Even with the 4 OS X prints I was able to collect myself, we still have some very anemic groups. Since OS X is the only OS that is exhibiting this problem at the moment, I am asking for your help to collect OS X fingerprints, even if the version of Nmap you currently have can match them correctly (using -d or -v2 will show the print even if it matched). Here's what we have; I'm hoping to get at least 6 prints in each category: Remote (targeting an IP address that doesn't start with fe80::) and directly-connected scans (sudo nmap -6 -O -d -F -e en0 --script targets-ipv6-multicast-* --script-args newtargets): * 10.6 (Snow Leopard), 10.7 (Lion) - 8 * 10.8 (Mountain Lion), 10.9 (Mavericks) - 3 * 10.10 (Yosemite), 10.11 (El Capitan) - 4 Localhost scans (sudo nmap -6 -O -d -F localhost): * 10.6 (Snow Leopard), 10.7 (Lion) - 4 * 10.8 (Mountain Lion), 10.9 (Mavericks) - 1 * 10.10 (Yosemite), 10.11 (El Capitan) - 3 I'm especially eager to get Mountain Lion fingerprints, since we actually don't have any of those. I've included it with Mavericks above, since both seem to use a TCP Window Scale value of 4 in IPv4 fingerprints. Of course, any fingerprints are beneficial. I'm working on tweaking Nmap's code so that it will ask at random for a submission of already-matching fingerprints, especially if they have a high novelty score indicating that they are very different-looking. For now, I'd say we could even handle the volume if *every* matched print was submitted. Very few groups have more than 5 prints, and those are pretty much all Linux. Thanks for your help! Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Request: IPv6 OS fingerprints needed desperately Daniel Miller (Feb 09)