Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: OS fingerprinting technique

OS fingerprinting technique

From: olivier courtay <olivier.courtay_at_intranode.com>
Date: Thu, 18 Apr 2002 15:44:18 +0200

Carefully studying the way TCP works, especially some timer value
inside the TCP stack, we have derived on a new technique for remote OS
detection, based on temporal response analysis.

The idea is quite simple: send a TCP SYN packet to an open port on a
remote system, and listen the different answers (usually successive
SYN/ACK packets). By measuring the number of response, the delay
between retries, and the optional presence of a "RST" packet after a
few answers, we can easily recognize some operating systems.
The nice thing is that it only required to send one packet on an open
TCP port, which make this method really quiet.

As a proof of concept, we also developed a standalone tool "RING"
that will perform these testings and identifications, using a signature
file.

A patch for Nmap-2.54BETA32 is being prepared and should be released
anytime soon
At the moment, ring and nmap OS fingerprinting methods are launched
simulteamously
but results aren't merged for better accuracy.
If you want to try this patch, please send me an
email(ring_at_intranode.com).

More information is available at:
http://www.intranode.com/site/techno/techno_articles.htm

The open source tool can be downloaded from:
http://www.intranode.com/pdf/techno/ring-0.0.1.tar.gz

The open source tool for Linux2.4 kernel can be downloaded from:
http://www.intranode.com/pdf/techno/ring-0.0.1-Linux-2.4.tar.gz

The full, 13 pages, white paper is available at:
http://www.intranode.com/pdf/techno/ring-full-paper.pdf

We will be very happy to get your feedback on this technique.
Feel free to contact us at: ring_at_intranode.com

Thanks,
Olivier 

-- 
________________________________
Olivier  Courtay
Research Engineer 
tel: +33 (0) 223 455 524
fax: +33 (0) 223 455 501
mailto: olivier.courtay_at_intranode.com
http://www.intranode.com
Intranode Software Technologies
Security you can see.
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Apr 18 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]