Nmap Development mailing list archives
Call for IPv6 OS fingerprints
From: David Fifield <david () bamsoftware com>
Date: Mon, 19 Sep 2011 12:03:28 -0700
I have just merged the IPv6 OS detection branch. What we need now are fingerprint submissions in order to start training the engine. So far it has a very small database and we need more submissions before making a release. A summary the rest of this message: 1. Update your Subversion checkout. 2. Run commands like these: # ./nmap -6 -v -O -F -e eth0 --script='targets-ipv6-*' --script-args=newtargets -oN os6-%D%T.nmap # ./nmap -6 -v -O -F scanme.nmap.org -oN os6-%D%T.nmap # ./nmap -6 -v -O ::1 -oN os6-%D%T.nmap 3. Find the IPv6 OS fingerprints, find out exactly what operating systems the targets are running, and make submissions at http://insecure.org/cgi-bin/submit.cgi?new-os More details: Since this summer, Luis MartinGarcia and I have been working on an IPv6 OS detection engine for Nmap. We now have some running code that has been merged to /nmap. This is a call to collect fingerprints so that we can start growing the database quickly. OS guess output is currently disabled. The engine is doing all the calculations behind the scenes, but I think our training corpus is yet too small to give reliable results. For this reason you will always see "No OS matches for host" even if a match has in fact been found. Use the -d2 option to override this and see the match anyway (if available). Submission works like always: go to http://insecure.org/cgi-bin/submit.cgi?new-os IPv6 fingerprints are being directed into a separate queue. The fingerprints look similar to the ones you know: TCP/IP fingerprint: OS:SCAN(V=5.59.IPv6.BETA2%E=6%D=9/16%OT=22%CT=21%CU=30958%PV=N%DS=5%DC=I%G OS:=Y%TM=4E73C279%P=x86_64-unknown-linux-gnu)S1(P=6000{4}28063cXX{32}0016d OS:f764299f779b3b73879a01237c89fcf0000020405a00402080a249d3d40ff{4}0103030 The results are a list of run length–encoded packet contents with send/receive times. Some sensitive fields like IP addresses are XXed out. (There is an exception to the XXing out: one of the OS probes is an ICMPv6 Node Information query, which can receive a list of IP addresses or host names. I think these should be XXed out, but they aren't yet, because we don't have many examples of responses to this probe yet and I think we should have some raw examples to understand it better. For example, an apparent bug causes some systems to send host names when they should send IP addresses, but we haven't seen any counterexamples to this "bug" yet, so we don't yet know if it's useful for OS detection.) Here's a description of some commands to run. # ./nmap -6 -v -sL -e eth0 --script='targets-ipv6-*' --script-args=newtargets -oN os6-%D%T.nmap # ./nmap -6 -v -O -F -e eth0 --script='targets-ipv6-*' --script-args=newtargets -oN os6-%D%T.nmap This will run Weilin's multicast host discovery scripts to find hosts on the given interface. (Replace "eth0" with whatever is appropriate for you.) The first command only previews the addresses that will be scanned and the second command actually scans them. Then, after scanning is done, you can look at the addresses in the output and match them up with devices on your network. This can be easier than trying to manually enumerate all your IPv6 devices. The above command will work even if you don't have IPv6 connectivity to the Internet. It only scans the local network. You might be surprised to find some IPv6-enabled devices you didn't know about. Fyodor said that the targets-ipv6-multicast-invalid-dst.nse script messed up his eth0 interface; he had to do "ifdown eth0; ifup eth0" to restore it. We haven't had any other reports of this, so I left the script in the above command. If it happens to you, try using 'targets-ipv6-multicast-echo,targets-ipv6-multicast-slaac' instead. # ./nmap -6 -v -O -F scanme.nmap.org -oN os6-%D%T.nmap We need over-Internet fingerprints too, because they often differ from local ones. It's helpful if lots of people scan scanme, because then we get fingerprints under different network conditions. If you scan remote hosts like this, make sure you know the operating system--don't just guess. If you do scanme, you can enter "Linux 2.6.39" as the uname. # ./nmap -6 -v -O ::1 -oN os6-%D%T.nmap Localhost scans are easy even if you don't have access to the IPv6 Internet. Fingerprints also tend to differ from remote scans. The IPv6 OS detection engine works differently from the IPv4 engine, in ways that I hope will make it more robust and easier to maintain. I will write up separate documentation on how it works. David _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Call for IPv6 OS fingerprints David Fifield (Sep 19)
- Re: Call for IPv6 OS fingerprints David Fifield (Sep 21)
- Re: Call for IPv6 OS fingerprints Xu Weilin (Sep 23)
- Re: Call for IPv6 OS fingerprints David Fifield (Sep 23)
- Re: Call for IPv6 OS fingerprints Xu Weilin (Sep 24)
- Re: Call for IPv6 OS fingerprints Xu Weilin (Sep 23)
- Re: Call for IPv6 OS fingerprints Fyodor (Sep 24)
- Re: Call for IPv6 OS fingerprints David Fifield (Sep 21)