Re: Remote OS detection in IPv6

[David Fifield <david () bamsoftware com>]

On Tue, Jul 08, 2014 at 09:59:00PM +0200, Mathias Morbitzer wrote:
> In March, I gave a presentation at Troopers14 about new ideas for
> Remote OS detection / OS fingerprinting in IPv6. It can be found here:
> https://www.troopers.de/wp-content/uploads/2013/11/TROOPERS14-Remote_OS_Detection_with_IPv6-Mathias_Morbitzer.pdf
>
> Now I would like to see some of those methods in Nmap. But before
> getting on it, I would like to discuss with you which methods are the
> most interesting to be implemented. 
>
> There are some things which shouldn't be much work to implement, since
> Nmap already has most of the code which would be necessary. An example
> for this is the analysis of the IPv6 fragmentation ID sequence. All
> the code to detect the type of sequence (incremental, random, ...)  is
> already there, it just needs to be integrated into the OS detection. 
>
> Then there are things which are in my opinion also a good idea to
> implement since they do not require any additional packets to be sent.
> An example for this is the analysis of the hop limit field, which is
> in any IPv6 packet received from the target, and can allow a basic
> distinction between different types of OSs (Windows, Unix, etc..) 

Thanks for sharing your presentation.

Adding features that don't require new probes to be sent is really easy.
One of our IPv6 OS integration programs, vectorize.py, has a commented
list of features that are not yet implemented:

https://svn.nmap.org/nmap-exp/luis/ipv6tests/vectorize.py ("Features to do.")

The reason it's easy to add new features is that our IPv6 database
contains complete packets (except for fields like the source and
destination).  We dynamically recompute the training features from the
training set every time.

https://svn.nmap.org/nmap-exp/luis/ipv6tests/nmap.groups

What you could try, is implementing your new features in vectorize.py
(and add them to the list in nmap.set), and then test their
effectiveness by running the integration programs. There's a brief howto
here:

https://secwiki.org/w/Nmap/IPv6_OS_Integration

> And then finally, there is my favorite method of this presentation,
> which is the fingerprinting by using ICMPv6 time exceeded messages.
> The thing I really like about this is that if we have for example a
> Windows system with an active firewall, we would still be able to
> determine that it's a windows system (based on the hop limit which I
> mentioned earlier). Furthermore, it is possible to detect if the
> system is running a version of windows older or newer/equal to Windows
> 7 based on the assignment of the fragment ID (incremental for <
> Windows 7, incremental by 2 for >= Windows 7). 
>
> But of course, there are also a lot of other ideas in the presentation
> which trigger different responses from different OSs, such as playing
> around with the IPv6 extension headers.

I'm not sure of the best way to handle new features that require sending
new probes. We'd have to decide what to do with all the existing
database entries that lack the probe. But in any case, I think adding
new features is likely to be a win for classification.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/