Nmap Development mailing list archives
Re: Dealing with initial TTLs > 255
From: David Fifield <david () bamsoftware com>
Date: Wed, 20 Jun 2007 22:54:04 -0600
Fyodor and I noticed that some OS fingerprint submissions had a calculated TTL that was greater than 255. Values of 256, 257, 258, and even 263 have been submitted. Values like these indicate some sort of network shenanigans. They also hinder OS detection, because while these initial TTLs are probably supposed to be 255, they won't match prints in the database with the value of 255. r4950 in /nmap-exp/soc07/nmap deals with this. It caps too-large TTLs at 255 (the most likely value, I think). If any large TTLs are found, it marks a fingerprint as unsuitable for submission, because something strange is probably going on in the network.
After making this change, I found that some of the reference fingerprints in nmap-os-db have a TTL greater than 255. This appears to be a characteristic of Cisco IOS routers and switches, for one example. It seems to be common enough that it's worth recording these too-large TTLs. So I have reverted the change. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Dealing with initial TTLs > 255 David Fifield (Jun 20)
- Re: Dealing with initial TTLs > 255 David Fifield (Jun 20)