Nmap Development: New Nmap OS classification scheme

[Fyodor <fyodor () insecure org>]

Hi Guys.  Back in February, Chad Loder ( http://www.rapid7.com )
convinced me that the OS database needed a better classification
scheme.  The textual descriptions just don't always scale to huge
networks as they are hard to parse automatically.  Even worse, many of
the fingerprints don't even describe what a device is.  Results like
"Nexland ISB Pro800 Turbo" and "Siemens 300E Release 6.5" are much
more useful when you add the words "cable modem" and "business phone
system".

So I spent the last few days normalizing and updating the DB entries.
I also added a classification scheme, which offers the vendor name
(e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 7), and
device type (general purpose, router, switch, game console, etc).
This can be useful if you want to (say) locate and eliminate the SCO
systems on a network, or find the wireless access points (WAPs) by
scanning from the wired side.  The next version of Nmap will print
these classifications, although I haven't decided on all the details
yet.

It would be useful to have more eyes examining my classification to
identify any errors.  Everyone is familiar with a different set of
devices after all.  If you have time to look it over, check out the
new 'Class' lines in:

http://www.insecure.org/nmap/data/nmap-os-fingerprints

What would be most useful are:

o Misclassifications - like if I say 'router' but it is really a
  switch or printer.

o Underlying OS identification - I just put 'embedded-misc' when I
  didn't know the OS.  Feel feel free to send the actual OS name running
  under the covers.  I only included the "OS Generation' for popular
  operating systems like Linux and IOS since I don't want to invest a
  huge amount of time cataloging every revision of the embedded OS in
  some printer.  But the name doesn't hurt.

o Any Mispelings

o Note that for systems without a canonical vendor (e.g. Linux) I just
  use the OS name.  Nmap will omit the vendor name when it sees that.

o Feel free to send suggestions about changing the categories.  This
  is far from set in stone.

Here are the 26 device type categories that are currently recognized:
> egrep '^Class' nmap-os-fingerprints | cut -d\| -f4 | sort | uniq -c | sort -rn
    448  general purpose
     94  router
     60  broadband router
     49  printer
     46  switch
     39  firewall
     34  terminal server
     19  print server
     17  WAP
     16  specialized
     16  load balancer
     12  web proxy
     10  fileserver
      8  telecom-misc
      7  X terminal
      7  hub
      6  webcam
      6  bridge
      5  storage-misc
      5  power-device
      4  VoIP phone
      4  game console
      3  encryption accelerator
      3  CSUDSU
      2  PBX
      2  BBS

And here are the top 20 (of 206) vendors:

> egrep '^Class' nmap-os-fingerprints | cut -d\| -f1 | sort | uniq -c | sort -rn | sed 's/Class //' | head -20
     72 Cisco 
     61 Microsoft 
     57 IBM 
     45 Linux 
     40 DEC 
     36 Apple 
     35 HP 
     30 FreeBSD 
     21 Sun 
     19 Novell 
     18 OpenBSD 
     18 3Com 
     14 NetBSD 
     13 D-Link 
     12 SGI 
     12 Ascend 
     11 SCO 
     11 Compaq 
     11 AXIS 
      8 Siemens 

And the top 20 (of 96) OS families:
> egrep '^Class' nmap-os-fingerprints | cut -d\| -f2 | sort | uniq -c | sort -rn | head -20
    358  embedded-misc 
     60  Windows 
     54  Linux 
     35  IOS 
     30  FreeBSD 
     26  AIX 
     21  OpenVMS 
     21  Mac OS 
     19  Netware 
     18  Solaris 
     18  OpenBSD 
     14  NetBSD 
     14  HP-UX 
     12  IRIX 
     11  PIX 
      9  OS/400 
      8  Mac OS X 
      8  BSD-misc 
      8  AmigaOS 
      7  Tru64 UNIX 


Thanks,
Fyodor

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).