Nmap Development mailing list archives
New OS detection test SEQ.CI
From: David Fifield <david () bamsoftware com>
Date: Tue, 24 Feb 2009 18:01:09 -0700
Hi all, Nmap's OS detection has two tests that measure the IP IDs of responses and attempt to classify the algorithm used by the target. TI measures responses to the six TCP SEQ probes sent to an open port. II does the same thing for the two ICMP IE probes. http://nmap.org/book/osdetect-methods.html#osdetect-ti http://nmap.org/book/osdetect-methods.html#osdetect-ii A fellow named Dario Ciccarone reported that sometimes the algorithm used to generate IP IDs for closed ports can differ from the algorithm used for open ports. So we added a new test, CI. This doesn't require sending any additional probes, rather it grabs the IDs from the three probes that are sent to a closed port: T5, T6, and T7. The test is included if at least two of those three probes gets a response. I ran some tests to see how often T5, T6, and T7 are replied to and how often CI differs from CI. Results are at http://www.bamsoftware.com/wiki/Nmap/Closed-portTCPIPID The new test won't have any effect for a while because there are no prints in nmap-os-db that have it. If you see a print where TI and CTI differ, submit it as a new fingerprint even if it is a 100% match. We will need to know how often that happens and on what kind of devices to set the MatchPoints properly. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- New OS detection test SEQ.CI David Fifield (Feb 24)