Home page logo

nmap-dev logo Nmap Development mailing list archives

new OS detection techniques: synscan
From: Greg Taleck <taleck () nfr net>
Date: Fri, 7 May 2004 22:28:21 -0400 (EDT)

For those of you looking for perhaps more accurate ways
to detect a remote host OS, I've written a tool that is
able to inspect many different characteristics of a remote

The tool is called synscan: http://synscan.sourceforge.net/
and only requires one open remote TCP port to perform its
tests.  It also modifies the local OS firewall ruleset to
prevent the host stack from resetting "open" connections.

It currently combines 16 different methods of analysis of
a remote TCP/IP stack to produce an OS fingerprint:

CC: Determines what Congestion Control algorithm is
    implemented on the remote host (i.e. Tahoe, Reno, etc.)
CW: Determines the size of the initial Congestion Window
    used to manage data transfer in a TCP session
DF: Determines when the DF-bit is set on a SYN-ACK packet
F8: Determines whether a host accepts fragments with a MF=1
    and a packet length not evenly divisible by 8
FP: Determines the fragmentation reassembly policy implemented
    by the remote host
FT: Determines the FIN-ACK retranmit timeout values used
HZ: Determines the timestamp hertz value if the remote host
    implements RFC 1323 extensions
ID: Determines the algorithm used to set the IP Identification
    field in the IP header
MS: Determines the default (assumed) value of the client MSS
    when no MSS option is sent in the TCP SYN segment
PT: Determines the Payload retransmit timeout values (which
    may be different than the FT analysis)
RT: Determines the SYN-ACK retransmit timeout values
SN: Determines the algorithm used to set the Initial Sequence
    Number of the TCP session in the SYN-ACK
TL: Determines the default IP TTL value set by tracerouting
    to the host
TO: Determines how the remote TCP stack sets TCP options when
    given different options in the SYN segment
TP: Determines the TCP segment reassembly policies used when
    overlapping TCP segments are sent to the host
WS: Determines the algorithm used to set the initial window
    size in the TCP header

Please see the project website for more details, including a
white paper titled "SYNSCAN: Towards Complete TCP/IP

Greg Taleck
NFR Security, Inc.

For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org

  By Date           By Thread  

Current thread:
  • new OS detection techniques: synscan Greg Taleck (May 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]