Re: When nmap can't ID the OS...
From: Faleh Daoud Abdel Monem (abdelmonem_at_webone-tunisie.com)
Date: 12/14/04
- Previous message: Ryan Murphy: "Event log counts..."
- In reply to: Jimi Thompson: "Re: When nmap can't ID the OS..."
- Next in thread: Corey LeBleu: "Re: When nmap can't ID the OS..."
- Reply: Corey LeBleu: "Re: When nmap can't ID the OS..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Dec 2004 19:02:32 +0100 To: Jimi Thompson <jimi.thompson@gmail.com>
Jimi Thompson wrote:
> Are you by any chance running NMAP on Windows? If so, you might try
> using the Linux/Unix version instead and see if you don't get better
> results.
>
> 2 cents,
>
> Jimi
>
>
> On 27 Nov 2004 19:27:16 -0000, H Carvey <keydet89@yahoo.com> wrote:
>
>>In-Reply-To: <200411261640.23084.dflists@iinet.net.au>
>>
>>
>>>What could be up with the remote machine that stops nmap IDing the OS it is
>>
>>>running?
>>
>>
>>Well, the info at NetCraft could have been spoofed, or old. The system using that IP could have at one time been running the OS/web server identified, but perhaps no longer. And without knowing more about what arguments you used for nmap, and the actual output, it might be difficult to tell you why nmap couldn't figure it out...there are several possibilities there.
>>
>>Harlan
>>
>>"Windows Forensics and Incident Recovery"
>>
>>http://www.windows-ir.com
>>
>>
>
>
>
Hi list,
First of all I'm sorry about this late reply.
Thought the discussion has gone about if Nmap is able to reliably
identify a remote OS, if you permit it lets review what’s basically OS
fingerprinting:
All is about TCP/IP packets when it come to guess the remote OS system,
different systems has different TCP/IP stacks, so if you can get a
packet from one system and match it against known patterns or behavior
(how many SYN packets are send to tray establishing a connection, delay
between packets, response to erroneous packets …) you may guess the OS
it’s running. How to get this packet to analyze it is what make the
difference between a so called active and passive finger printing.
Passive finger printing is basically collecting packets (TCPdump or any
that can do) and studying them to find a matching with different OS
special setting in IP or TCP headers, this is widely covered in Toby
Miller sans.org paper in it’s 2 parts
(http://www.sans.org/rr/special/index.php?id=passiveos
http://www.sans.org/rr/special/index.php?id=passiveos2). Active
fingerprinting technique involve sending regular (usually SYN) packets
or special crafted (SYN|FIN) ounces in order to trigger some errors on
the remote systems and look into their replays, thought this is the way
Nmap and many others active fingerprinting tools work, a look at Fyodor
paper on Nmap Remote OS Detection
(http://www.insecure.org/nmap/nmap-fingerprinting-article.html) gives a
good explication of the techniques. Also performing basic ports scanning
and banners collect, would give some informations but this is no that
much accurate since today daemons become available for a wide range of Oss.
Thought many OS have parameters that can be tweaked to limit the leak of
informations used by those tools if not stop it at all, they may also
fool the tool to not be able to identify the remote OS. If anyone has
experience tweaking them with some success it would be useful for all of
us. I just can remember about some option when compiling a new FreeBSD
kernel about to allow response to SYC|FIN packets as this violate the
TCP Three Way Handshake ( sorry for not providing it cuz I don’t have a
FreeBSD Box know at hand to verify).
Best Regards.
-- ----------------------------------------------------------------- Daoud AbdelMonem Faleh WebOne S.A.R.L eBusiness solutions System Admin. Tel: +216 71 784 726 21 Rue Ibn Badis Fax: +216 71 894 326 1002 Tunis / Tunisia abdelmonem@webone-tunisie.com http://www.webone.com.tn -----------------------------------------------------------------
- Previous message: Ryan Murphy: "Event log counts..."
- In reply to: Jimi Thompson: "Re: When nmap can't ID the OS..."
- Next in thread: Corey LeBleu: "Re: When nmap can't ID the OS..."
- Reply: Corey LeBleu: "Re: When nmap can't ID the OS..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
