Penetration Testing mailing list archives
Re: [PEN-TEST] subnet discovery
From: Fyodor <fyodor () INSECURE ORG>
Date: Tue, 20 Mar 2001 16:51:03 -0800
On Tue, 20 Mar 2001, Gary E. Miller wrote:
That is NOT necessarily the version of IPSO running. That is just the best guess from nmap. Last I checked nmap had no new sig for any other IPSO version than 3.2
That is an excellent point. When I add a new fingerprint I am generally very specific with the level of detail included (eg "NOKIA IPSO 3.2-fcs4 releng 783"). The idea is that feedback will allow me to generalize it as far as necessary (eg people mailing me saying "my IPSO 3.3 box was recognized by Nmap as 3.2"). I have to do it this way, because starting general and slowly becoming more specific doesn't work. If I just put "Nokia IPSO", the Nmap recognition will appear correct and nobody is going to write me saying "I have found that one of the IPSO fingerprints is specific to 3.2". But this only works if people send feedback. There are 500 fingerprints distributed with Nmap, and I only have about a dozen machines on my test network. And none of them are IPSOs. So if you ever see a machine that you know to be X reported as Y (even when the difference is minor like kernel 2.4.0 vs. 2.4.1) please send me a quick note. I can modify nmap-os-fingerprints in 10 seconds and it will be effective as of the next release. The only times we wouldn't want such a report is when: a) you know you are scanning through a NAT, IP-packet-rewriting load balancer, transparent proxy, or other network obstruction. Of course normal routers and packet filters are not a problem. b) you aren't fairly certain that the OS is what you think -- don't guess c) If nmap tells you "test conditions non-ideal" or "OS detection will be MUCH less reliable" or "OS detection may be less accurate" d) You are using an ancient version of Nmap. The latest is always available at http://www.insecure.org/nmap/ . Unless any of those apply, I'd love to hear about inaccurate results and will adjust the fingerprint file appropriately. Send them to me directly at fyodor () insecure org . Please do specify your Nmap version (nmap -V) and whatever details you have about the misdiagnosed machine. An IP address is useful for testing but not required. Nmap OS fingerprinting wouldn't even approach its current level of accuracy if it wasn't for all the fingerprints and corrections people have sent in. And there is always plenty of room for improvement! Cheers, Fyodor http://www.insecure.org/
Current thread:
- [PEN-TEST] subnet discovery Jason Ellison (Mar 18)
- <Possible follow-ups>
- Re: [PEN-TEST] subnet discovery Dawes, Rogan (ZA - Johannesburg) (Mar 19)
- Re: [PEN-TEST] subnet discovery Yonatan Bokovza (Mar 19)
- Re: [PEN-TEST] subnet discovery Yonatan Bokovza (Mar 19)
- Re: [PEN-TEST] subnet discovery Wynn Fenwick (Mar 19)
- Re: [PEN-TEST] subnet discovery Leif Sawyer (Mar 19)
- Re: [PEN-TEST] subnet discovery Shoten (Mar 20)
- Re: [PEN-TEST] subnet discovery van der Kooij, Hugo (Mar 20)
- Re: [PEN-TEST] subnet discovery Gary E. Miller (Mar 20)
- Re: [PEN-TEST] subnet discovery Fyodor (Mar 20)
- Re: [PEN-TEST] subnet discovery Shoten (Mar 20)
- Re: [PEN-TEST] subnet discovery van der Kooij, Hugo (Mar 20)