Nmap Development mailing list archives
Re: Comments on OS detection 2nd generation (soft fingerprinting)
From: Fyodor <fyodor () insecure org>
Date: Fri, 26 May 2006 20:38:38 -0700
On Fri, May 26, 2006 at 05:51:18PM +0000, Brandon Enright wrote:
On Fri, 2006-05-26 at 13:32 -0400, Joshua D. Abraham wrote:I'm sure most would agree that using a SSH banner to say a box is some distro or tcp/3389 to say a box is something Windows has no place in Nmap's second-gen OS FP engine.
Agreed. Not in the stack fingerprinting engine.
What I would like to see though is a soft fingerprinting engine added. When users used -O or -A they would get the standard or second-gen engine which does not take into account any banners or ports opened/closed.
Nmap actually does have that capability. Doug added it last year. But the version detection signatures need to be augmented. Look at Josh's mail:
I had is that for ubuntu machines there is no way to turn off the banner for ssh. Therefore, the response is SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3 which clearly identifies the machine as 2.6 since ubuntu doesn't have a version for 2.4.
Here is the current match line: match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\S ]+)/i p/OpenSSH/ v/$2/ i/protocol $1/ But I could you could add this more specific right above that line: match ssh m/^SSH-([.\d]+)-OpenSSH[_-](\S+ Debian-7ubuntu3)/i o/Linux/ p/OpenSSH/ v/$2/ i/protocol $1/ Now Nmap will tell you that version detection thinks the OS is Linux. It will also print the stack fingerprinting OS detection results. It is useful to have both separately rather than try to merge them, because of cases like a Checkpoint firewall which redirects port 22 to a Linux box. I added the signature above, but it is so specific that it won't do much on its own. SSH is so common that we might want to do a survey of SSH banners on the internet and look at what information we can get from them. Geez, if only I had a way to ask Nmap to run a small LUA script to quickly collect this information for each open port 22 it finds :). But seriously, it wouldn't be very hard to do now. Once you have all the banners, you could sort by frequency and write special signatures for all of the popular ones. An alternative to the scan would be to remove the space in "[\S ]" in the current generic match line. Then people would start submitting these non-matches. I don't think I can bear to break Nmap (even temporarily) like that when the SSH survey would be easy enough. I'll add it to the possible TODO list. Or if anyone else wants to take up this torch, you're welcome to! Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Comments on OS detection 2nd generation GomoR (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Brandon Enright (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 27)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 27)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- <Possible follow-ups>
- Re: Comments on OS detection 2nd generation GomoR (May 27)