Nmap Development mailing list archives
Re: Automatic generation of OS probes
From: marilyn monroe <marylinmonroessss () gmail com>
Date: Tue, 28 Jul 2015 15:49:01 -0400
David, very interesting paper indeed The research paper makes an interesting statement: " Nmap’s developers face the constant battle of finding new probes and re-examining existing ones to keep the Nmap classification database up-to-date." No further citation is provided on this part, but I assume is a assumption based on the amount work behind maintaining the database "if a response packet contains the WScale TCP option, then the amount of memory on the remote host can influence the response packet's WScale value " Does this influence the actual Nmap fingerprinting technique and does this suggest we could experiment with this in Nmap fingerprinting implementation? On Tue, Jul 28, 2015 at 1:08 PM, David Fifield <david () bamsoftware com> wrote:
Here is a nice paper from 2010 that evaluates automatic generation of OS probes and signatures. Section 3.2: "The probe generator produces a large set of non-fragmented network packets by assigning randomly generated values to various IP and TCP fields, subject to the constraints that packets must be well-constructed and routable to a target machine." They encounter problems with the idea and conclude in part that "automatic techniques can help identify candidate signatures, but our results suggest that manual expertise will remain an integral part of fingerprint generation." https://homes.cs.washington.edu/~yoshi/papers/fuzzing_aisec2010.pdf To find out what packet differences are truly attributable to OS differences, they turned to source code. Section 4.2.1 has something I didn't know before: "if a response packet contains the WScale TCP option, then the amount of memory on the remote host can influence the response packet's WScale value." _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Automatic generation of OS probes David Fifield (Jul 28)
- Re: Automatic generation of OS probes marilyn monroe (Jul 28)