[SCRIPT] P0f syn+ack implementation

[majek04 <majek04+nmap-dev () gmail com>]

Good news everyone!

I've prepared[0] next example of usage of my nse-pcap patch[1]!
Its job is to connect to host tcp port and print detailed
information about remote host, based on tcp syn+ack packet.

Like always, first the example:
# sudo ./nmap --script=p0f.nse -sS -p 22 -P0 coredump.cx
Interesting ports on coredump.cx
PORT    STATE  SERVICE
22/tcp  open   ssh
|_ p0f signature: FreeBSD 4.6-4.8 (RFC1323) (distance: 3, link:
ethernet/modem, up: 3243 hrs)
Nmap finished: 1 IP address (1 host up) scanned in 0.554 seconds

Well, okay. It's nothing interesting yet. You'll have better results
using nmap's builtin -O2 option.
But this test is less intrusive. We don't send any 'specially crafted'
packets (okay, except SYN scan packet), we just use standard connect().

All the informations are gathered from SYN+ACK packet that is send from host.
Than we test this packet tests copied from Lcamtuf's p0f[2] passive
fingerprinting tool.
Yep, we use passive fingerprinting methods on our active nmap scan.

You can ask what is interesting in this stuff. Here's the answer:
# sudo ./nmap --script=p0f.nse -sS -p 22,25,53,80,443 -P0 ovh.fr
Interesting ports on www.ovh.fr (213.186.33.33):
PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  open   ssh
|_ p0f signature: Linux recent 2.4 (1) (distance: 9, link:
ethernet/modem, up: 835 hrs)
25/tcp  closed smtp
53/tcp  open   domain
|_ p0f signature: Linux recent 2.4 (1) (distance: 9, link:
ethernet/modem, up: 835 hrs)
80/tcp  open   http
|_ p0f signature: Linux recent 2.4 (1) (distance: 10, link:
ethernet/modem, up: 6628 hrs)
443/tcp open   https
|_ p0f signature: Linux recent 2.4 (1) (distance: 10, link:
ethernet/modem, up: 6628 hrs)
Nmap finished: 1 IP address (1 host up) scanned in 0.272 seconds

Now we can easily see that ports 80 and 443 are on
machine behind their gateway (distance=10).
I have also other, more complicated example:
# for i in `seq 1 50`; do sudo ./nmap --script=p0f.nse -sS -P0 -p 80
www.nytimes.com |grep signature; done|sort|uniq -c
      5 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 0 hrs)
      3 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 1541 hrs)
      3 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 1639 hrs)
      6 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 166 hrs)
      1 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 173 hrs)
      3 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 1745 hrs)
      2 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 189 hrs)
      4 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 2405 hrs)
      5 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 2552 hrs)
      2 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 257 hrs)
      2 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 3604 hrs)
      3 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 385 hrs)
      1 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 4121 hrs)
      2 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 416 hrs)
      2 UNKNOWN [33304:239:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 427 hrs)
      1 UNKNOWN [33304:239:1:64:N,N,T,N,W1,N,N,S,M1460:AT:?:?] (link:
ethernet/modem, up: 25 hrs)
      1 UNKNOWN [33304:239:1:64:N,N,T,N,W1,N,N,S,M1460:AT:?:?] (link:
ethernet/modem, up: 48 hrs)
      2 UNKNOWN [33304:239:1:64:N,N,T,N,W1,N,N,S,M1460:AT:?:?] (link:
ethernet/modem, up: 51 hrs)
      2 UNKNOWN [33304:48:1:64:N,N,T,M1460,N,W1,N,N,S:AT:?:?] (link:
ethernet/modem, up: 1051 hrs)

My guess is that NYTimes has about 19 machines behind
load-balancer (and 4 of them have different OS than other)


Technically my script is implementation of p0f in lua.
It uses p0f's signatures from p0f's file 'p0fa.fp'.

Currently p0f has only 61 signatures for syn+ack mode.
Please consider submitting some signatures to Lcamtuf.

Cheers!
  Marek Majkowski

[0] http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap/p0f.nse
[1] http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap/
[2] http://lcamtuf.coredump.cx/p0f.shtml

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org