New OS detection test SEQ.CI

[David Fifield <david () bamsoftware com>]

Hi all,

Nmap's OS detection has two tests that measure the IP IDs of responses
and attempt to classify the algorithm used by the target. TI measures
responses to the six TCP SEQ probes sent to an open port. II does the
same thing for the two ICMP IE probes.

http://nmap.org/book/osdetect-methods.html#osdetect-ti
http://nmap.org/book/osdetect-methods.html#osdetect-ii

A fellow named Dario Ciccarone reported that sometimes the algorithm
used to generate IP IDs for closed ports can differ from the algorithm
used for open ports. So we added a new test, CI. This doesn't require
sending any additional probes, rather it grabs the IDs from the three
probes that are sent to a closed port: T5, T6, and T7. The test is
included if at least two of those three probes gets a response.

I ran some tests to see how often T5, T6, and T7 are replied to and how
often CI differs from CI. Results are at

http://www.bamsoftware.com/wiki/Nmap/Closed-portTCPIPID

The new test won't have any effect for a while because there are no
prints in nmap-os-db that have it. If you see a print where TI and CTI
differ, submit it as a new fingerprint even if it is a 100% match. We
will need to know how often that happens and on what kind of devices to
set the MatchPoints properly.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org