Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [Patch] Improving OS Detection
From: John <nmap-dev () johnbond org>
Date: Mon, 07 Jul 2014 11:55:45 +0200

On 07/07/14 11:40, John wrote:
On 04/07/14 21:45, Daniel Miller wrote:
On Fri, Jul 4, 2014 at 1:46 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
If anyone else has ideas on how to avoid choosing ports that are actually
responses by a firewall, I'd welcome them. This goes for TCP ports in open
and closed states, and closed UDP ports (ICMP Port Unreachable responses).
I normally use the TTL to try and determined if the repose is coming
from a middle box.  This type of stuff is no longer my day job but i
never came across a middle box that faked the TTL of the destination.
That said like everything NAT is a bitch.  if the middle box is also the
NAT device (which is common) then the TTL is always going to be equal to
the middle box.  So not perfect but might be something else to consider
in the classification.
Actually im not sure that last bit about nat is true.  I'm sure NAT will
confuse things but i think NAT devices will just change source and/or
destination fields as appose to writing a completely new ip header.


Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]