Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: GSoC Candidate Intro and Project Discussion
From: David Fifield <david () bamsoftware com>
Date: Mon, 28 Mar 2011 14:16:46 -0700

On Sun, Mar 27, 2011 at 04:46:14PM -0500, Dautenhahn, Nathan Daniel wrote:
Hey All-

My name is Nathan Dautenhahn. I am a second year PhD student at the
University of Illinois at Urbana-Champaign and am interested in
working with the Nmap project for GSoC 2011. With this message I would
like to get to know some of the devs, as well as outline my initial
thoughts for the project.

I would like to participate in the enhancement of Nmap's IPv6
capabilities. As I'm a researcher, I'm inclined to tackle more complex
problems such as OS detection. I have previous experience in using
statistical packet analysis to perform classification of encrypted
traffic.

At this point I still need to specify in greater detail my ideas and
scope for the project, but figured it would be good to start here to
make sure that I'm getting the right feedback throughout the process.
I will say I don't know how current IPv4 host detection occurs, and
assume that I should start there. The following lists an initial
approach I would take in order to develop host detection:

Hello Nathan. You're using the term "host detection," which is a little
confusing because it puts me in mind of "host discovery," which is a
topic separate from OS detection (see chapter 3 of the Nmap book or
http://nmap.org/book/man-host-discovery.html). The reference for OS
detection is http://nmap.org/book/osdetect.html.

Host discovery (ping scanning) on IPv6 networks is another open research
area.

 *   Review IPv4 host recognition techniques and other literature on the subject
 *   Review IPv6 RFC Specification
 *   It seems as though host detection is very specific to the OS and
 other implementation specific issues, and as such profiling the
 different systems seems like a good first step. I would manually
 review packet traces from each OS in order to find any unique state
 produced by the system.
 *   Review other state output visible to the network. This task would
 be focused on exposing any unexpected state that could be used for
 host detection.

Can you give examples of state output? I don't know what you mean.

 *   After manually analyzing these traces and other output from the
 hosts I would start to develop some type of classification of
 different types of data we find valuable in performing host
 recognition.
 *   Would need to analyze and define what type of
 pattern/classification technique we will use.

This is an interesting topic. Nmap's IPv4 matching algorithm just uses a
weighted sum of passing tests. A few months ago I did a small research
project into using a support vector machine for classification, with
some success. This is the paper, which also has some useful references:
http://seclists.org/nmap-dev/2011/q1/156.

 *   The next thing would be to build some type of initial prototype
 and see how it does.

This is a good point. We don't have to settle for testing in a lab when
there are so many Nmap users. A good project plan will include ideas to
enable testing by interested users.

 *   Then make modifications and recurse over testing and modification
 until the application performs as desired.

Like I said this is a very raw initial approach. Please provide any
feedback to point the project in a direction that would better serve
Nmap.

I have a few questions:

 *   What is the potential for publication coming from this work?
 Would Nmap be okay if attempted this, and would there be interest
 from Nmap to participate in this?

I don't have a feel for what kind of work is publishable. But I can say
that this not a project to be done and then forgotten about--it has to
be usable and maintainable for years to come.

 *   Is this too advantageous of a project, or would I also need to
 add in some other work?

I think OS detection is a big enough project on its own.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault