Re: fingerprint database

[Fyodor <fyodor () insecure org>]

On Fri, Nov 09, 2001 at 07:05:35PM +0100, rieger () dest-unreach org wrote:
> For me fingerprinting is nmap's most interesting feature. But recently I got
> a "Mac OS" response for a system that turned out to be some HP-UX
> box; 

Actually this is a commonly reported problem that I am looking into.
As counterintuitive as it sounds, the TCP stack of some HP boxes is
extraordinarily similar to that of late-model Macs!  If you (or anyone
else with this problem) send me the Nmap output as well as the details
of the host you are scanning (OS version #, basic hardware specs, IP
if available), I will investigate.  This goes for any misdiagnosis --
not just Macs recognized as HP.  But be sure you have a clear
connection to the target with no NAT gateways or load balancers in the
way.

> A simple "grep -i linux nmap-os-fingerprints" results in something like this
> (sorted by kernel version):
[ Cut ]
> This looks a little chaotic with its sporadic hardware or distribution
> dependence, overlapping version ranges, and ambiguities.

The Nmap fingerprint file is "a little chaotic" because it is modeling
a chaotic world :).  Overlapping versions are legitimate -- it may be
that they represent a series of tweaked kernels shipped by a certain
distributor.  Or it may be that they have a common patch installed. In
the same way, hardware & distribution specifiers are sporatic because
many fingerprints are too general to have such an association.  In
addition, the fingerprint database is evolving.  If someone sends me a
new fingerprint for "OpenBSD 2.9 on MIPS", I start with all of that
information.  Then I generalize it if someone reports the same
fingerprint on SPARC or against OpenBSD 2.8.

This is why the mechanism depends so much on feedback.  Even if a
fingerprint is only slightly wrong (like it says Linux kernel
2.4.1-2.4.5 and you are using 2.4.6), just drop me a quick note
telling me exactly what Nmap reported and what you are using.

> discovery. Why interesting? Because many operating systems provide
> system wide and/or per socket options to tune these values! While
> this fact seems to be known (e.g.,
> http://razor.bindview.com/publish/papers/tcpseq.html#conclude last
> paragraph), the fingerprints database does not reflect it.

Well, operating systems may offer a lot of flexibility in this
regard.  But how many people do you think change their default TCP
Window Scaling behavior?  It rounds to zero percent.  But if a
distribution ships with a different version, it will soon be added to
the fingerprint file as users scan & report those boxes.

I do try to reflect parameters that are commonly changed (especially
if they are security related).  For example, Solaris has a
tcp_strong_iss ndd parameter that allows users to tweak the initial
sequence number predictability strength.  You'll find separate
fingerprints in the DB reflecting the various values of that variable.
Same thing with the HP equivalent (tcp_random_seq).

> So, let's do some magic:
> I found an opportunity to update me old Linux 2.2.10 kernel to 2.2.19 without
> rebooting!
> Here is the trick:

Neat :).  And if you really want to get carried away, you can go to
http://ippersonality.sourceforge.net/ and download code to make your
Linux box look like an Appletalk Printer :).  It is a very cool hack, but I
don't actually recommend it.  There are probably more effective ways
you can spend your security effort than trying to obfuscate your OS
from Nmap scans.  Skilled attackers will figure it out anyway, and the
script kiddies generally just blast their exploits at anything with
port XX open :).  Plus some of these patches have suffered security
holes of their own!

This does bring up an important point -- Nmap fingerprinting is
designed to quickly provide an accurate OS guess for commonly encountered
systems.  If an administrator is actively mangling his kernel TCP
parameters to confuse Nmap, then identification may require more work
than "nmap -O".  You can try application/banner fingerprinting or
comparing the fingerprint against the Nmap DB manually.

> (you need a software that allows you to set the SO_RCVBUF and IP_MTU_DISCOVER
> sockopts; you might checkout the beta version of socat at
> http://www.dest-unreach.org/socat/)

Looks like an interesting and useful program :).

Cheers,
Fyodor

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).