Nmap Development mailing list archives
New Nmap OS classification scheme
From: Fyodor <fyodor () insecure org>
Date: Fri, 20 Jun 2003 19:28:38 -0700
Hi Guys. Back in February, Chad Loder ( http://www.rapid7.com ) convinced me that the OS database needed a better classification scheme. The textual descriptions just don't always scale to huge networks as they are hard to parse automatically. Even worse, many of the fingerprints don't even describe what a device is. Results like "Nexland ISB Pro800 Turbo" and "Siemens 300E Release 6.5" are much more useful when you add the words "cable modem" and "business phone system". So I spent the last few days normalizing and updating the DB entries. I also added a classification scheme, which offers the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 7), and device type (general purpose, router, switch, game console, etc). This can be useful if you want to (say) locate and eliminate the SCO systems on a network, or find the wireless access points (WAPs) by scanning from the wired side. The next version of Nmap will print these classifications, although I haven't decided on all the details yet. It would be useful to have more eyes examining my classification to identify any errors. Everyone is familiar with a different set of devices after all. If you have time to look it over, check out the new 'Class' lines in: http://www.insecure.org/nmap/data/nmap-os-fingerprints What would be most useful are: o Misclassifications - like if I say 'router' but it is really a switch or printer. o Underlying OS identification - I just put 'embedded-misc' when I didn't know the OS. Feel feel free to send the actual OS name running under the covers. I only included the "OS Generation' for popular operating systems like Linux and IOS since I don't want to invest a huge amount of time cataloging every revision of the embedded OS in some printer. But the name doesn't hurt. o Any Mispelings o Note that for systems without a canonical vendor (e.g. Linux) I just use the OS name. Nmap will omit the vendor name when it sees that. o Feel free to send suggestions about changing the categories. This is far from set in stone. Here are the 26 device type categories that are currently recognized:
egrep '^Class' nmap-os-fingerprints | cut -d\| -f4 | sort | uniq -c | sort -rn
448 general purpose 94 router 60 broadband router 49 printer 46 switch 39 firewall 34 terminal server 19 print server 17 WAP 16 specialized 16 load balancer 12 web proxy 10 fileserver 8 telecom-misc 7 X terminal 7 hub 6 webcam 6 bridge 5 storage-misc 5 power-device 4 VoIP phone 4 game console 3 encryption accelerator 3 CSUDSU 2 PBX 2 BBS And here are the top 20 (of 206) vendors:
egrep '^Class' nmap-os-fingerprints | cut -d\| -f1 | sort | uniq -c | sort -rn | sed 's/Class //' | head -20
72 Cisco 61 Microsoft 57 IBM 45 Linux 40 DEC 36 Apple 35 HP 30 FreeBSD 21 Sun 19 Novell 18 OpenBSD 18 3Com 14 NetBSD 13 D-Link 12 SGI 12 Ascend 11 SCO 11 Compaq 11 AXIS 8 Siemens And the top 20 (of 96) OS families:
egrep '^Class' nmap-os-fingerprints | cut -d\| -f2 | sort | uniq -c | sort -rn | head -20
358 embedded-misc 60 Windows 54 Linux 35 IOS 30 FreeBSD 26 AIX 21 OpenVMS 21 Mac OS 19 Netware 18 Solaris 18 OpenBSD 14 NetBSD 14 HP-UX 12 IRIX 11 PIX 9 OS/400 8 Mac OS X 8 BSD-misc 8 AmigaOS 7 Tru64 UNIX Thanks, Fyodor --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- New Nmap OS classification scheme Fyodor (Jun 20)