mailing list archives
Re: [Patch] Improving OS Detection
From: John <nmap-dev () johnbond org>
Date: Mon, 07 Jul 2014 11:40:03 +0200
On 04/07/14 21:45, Daniel Miller wrote:
On Fri, Jul 4, 2014 at 1:46 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
If anyone else has ideas on how to avoid choosing ports that are actually
responses by a firewall, I'd welcome them. This goes for TCP ports in open
and closed states, and closed UDP ports (ICMP Port Unreachable responses).
I normally use the TTL to try and determined if the repose is coming
from a middle box. This type of stuff is no longer my day job but i
never came across a middle box that faked the TTL of the destination.
That said like everything NAT is a bitch. if the middle box is also the
NAT device (which is common) then the TTL is always going to be equal to
the middle box. So not perfect but might be something else to consider
in the classification.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/