Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Comments on OS detection 2nd generation (soft fingerprinting)
From: "Joshua D. Abraham" <jabra () ccs neu edu>
Date: Fri, 26 May 2006 23:52:15 -0400

On 26.May.2006 08:38PM -0700, Fyodor wrote:

On Fri, May 26, 2006 at 05:51:18PM +0000, Brandon Enright wrote:
On Fri, 2006-05-26 at 13:32 -0400, Joshua D. Abraham wrote:
 
I'm sure most would agree that using a SSH banner to say a box is some
distro or tcp/3389 to say a box is something Windows has no place in
Nmap's second-gen OS FP engine.

Agreed.  Not in the stack fingerprinting engine.
Agreed.

What I would like to see though is a soft fingerprinting engine added.
When users used -O or -A they would get the standard or second-gen
engine which does not take into account any banners or ports
opened/closed.

Nmap actually does have that capability.  Doug added it last year.
But the version detection signatures need to be augmented.  Look at Josh's mail:
Are you referring to my banner patch?


I had is that for ubuntu machines there is no way to turn off the
banner for ssh. Therefore, the response is
SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3 which clearly identifies
the machine as 2.6 since ubuntu doesn't have a version for 2.4.

Here is the current match line:

match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\S ]+)/i p/OpenSSH/ v/$2/ i/protocol $1/

But I could you could add this more specific right above that line:

match ssh m/^SSH-([.\d]+)-OpenSSH[_-](\S+ Debian-7ubuntu3)/i o/Linux/ p/OpenSSH/ v/$2/ i/protocol $1/

Now Nmap will tell you that version detection thinks the OS is Linux.
It will also print the stack fingerprinting OS detection results.  It
is useful to have both separately rather than try to merge them,
because of cases like a Checkpoint firewall which redirects
port 22 to a Linux box.

I added the signature above, but it is so specific that it won't do
much on its own.  SSH is so common that we might want to do a survey
of SSH banners on the internet and look at what information we can get
from them.  Geez, if only I had a way to ask Nmap to run a small LUA
script to quickly collect this information for each open port 22 it
finds :).  But seriously, it wouldn't be very hard to do now.  Once
you have all the banners, you could sort by frequency and write
special signatures for all of the popular ones.

An alternative to the scan would be to remove the space in "[\S ]" in
the current generic match line.  Then people would start submitting
these non-matches.  I don't think I can bear to break Nmap (even
temporarily) like that when the SSH survey would be easy enough.  I'll
add it to the possible TODO list.  Or if anyone else wants to take up
this torch, you're welcome to!

I think that if the user could have access to the banner that
they would be able to determine this information more easily.
Again, I'm sure there might be other services say for windows or
something that might be of use as well. Therefore, if we had
people able to have the scan with the banner included in the xml
we could parse that in a survey or something.

Any chance, Fyodor to include the 4.03 version of the patch or
perhaps review it?

http://seclists.org/lists/nmap-dev/2006/Apr-Jun/0248.html

--Josh

Cheers,
-F


-- 
Joshua D. Abraham
Northeastern University
College of Computer and Information Science
www.ccs.neu.edu/home/jabra


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault