mailing list archives
Re: U1 probe RUD test question
From: David Fifield <david () bamsoftware com>
Date: Thu, 2 Apr 2009 17:29:51 -0600
On Thu, Apr 02, 2009 at 02:52:42PM -0400, Thomas Tavaris J (Tavaris) wrote:
I'm still looking at the quality of the tests that nmap sends and I have
a question regarding the U1,RUD test. Why is this test producing a G
value when wireshark, tshark, and tcpdump data shows no UDP data (from
the probe) is contained in the encapsulated ICMP port unreachable
packet? This is especially prevalent when scanning Cisco routers. The
nmap-os-db file says Cisco IOS should report G for the RUD test. From my
(limited) observations this hasn't been the case.
Thanks for bringing this up. There is a bug in the code that handles the
U1.RUD test. Instead of checking that the payload is 300 bytes long and
consists only of the character 'C', it only checks that every byte in
the payload is 'C' without checking the length. So the test passes even
for an empty payload.
I'm going to fix this, which will cause some OS matches to break. We'll
have to get new submissions to populate the database with correct values
for the test.
Also the nmap-os-db file the MatchPoint value is 100 (which implies a
high quality test). In my observations over 1650 values for G appear
in the database but would also imply this test doesn't differentiate a
lot of systems with this test value. Anyone have any insight?
MatchPoints isn't really a measure of the quality of a test in the sense
of differentiating many different systems, it's a measure of how
significant a difference is when it is observed. For instance, almost
all systems return 0 for the T*.RD test, but a few system return a value
that is highly unique to the OS. It's like this: running the test isn't
likely to find a difference in an operating system, but if a difference
in the test value is observed, then that is a strong differentiator of
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org