Recent Changes - Search:

PmWiki

pmwiki.org

edit SideBar

Nmap /

OSDetectionIntegrationNotes

General procedure

  1. fingermatch. If you get a perfect match, merge its description into the database if necessary and move to the next submission.
  2. fingerdiff against the best matches. If the submission is of low quality, skip it.
  3. fingerfix. For a new submission, run fingerfix with no arguments and add it to the file. For an existing submission, replace the existing fingerprint with the new merged one.
  4. fingermatch again. This is important. Make sure the results are what you expect.

Guidelines

  • Fingerprints with a name and email address carry more weight.
  • If the description of the OS in the Fingerprint line isn't specific ("Fedora Core 6", "winxp"), skip it. Even if it's a match, it doesn't have any new information to add.
  • If you avoided integrating low-quality fingerprints for a new OS, run them against fingermatch when you have a good fingerprint to see if they match.
  • Delete private information from the submission such as host names and IP addresses.
  • You can write to the email address if you need more information, but don't bother unless it's an unusual platform.
  • If you're not sure what to do with a submission, check the queue for similar submissions.
  • To stable sort so you can compare two database entries, do sort -s -k1.1,1.3.
  • Check for typos in Class lines: grep ^Class nmap-os-db | cut -d \| -f 1 | sort | uniq | less
  • If you see a TTL that's off by one (T=81 or similar) and the distance is greater than one or you don't have a MAC address, be suspicious of network conditions.

Observations

  • There were some Linux submissions with tcp_timestamps disabled. They seem not to have been integrated in the past.
  • It's "Windows 2000 Server" but "Windows Server 2003" and "Windows Server 2008".

Omission and confusion

uname on Mac OS X prints the Darwin kernel version but not the OS version. Having the OS version would be nice.

With
->Class || |
or
->Class Vendor || |
fingermatch doesn't run.

Almost everyone who doesn't have a uname or winver puts the OS name in the "Notes" section, so it doesn't end up on the "Fingerprint" line (which is otherwise blank).

Someone said:

I recommend to ask for "System Information" (Start->AllPrograms->Accessories->SystemTools->SystemInformation) instead of "WinVer" since it has more detail info, easy to provide (Copy-Paste or Export-Attach). Unfortunately, there is a small difference between WinVer info and "Hardware Abstraction Layer", - I have no idea why. Also I do not know is it important for you or not.
  • Unbzip2 submission and correction mboxes from email.
  • svn update in nmap-dev and make.
  • Copy nmap-os-db from nmap directory to nmap-dev working directory.
  • Open up two tall xterms, each with a Screen session running.
    • Left xterm, screen 1: Used for fingermatch and fingerdiff.
    • Left xterm, screen 2: Editor open on nmap-os-db.
    • Right xterm, screen 1: mutt -f nmapsubmit-osfp-XXXX.mbox.
  • Open up Google in the background.
  • Copy the fingerprint from Mutt.
  • In screen 1 of left xterm, paste fingerprint into @@fingermatch
Edit - History - Print - Recent Changes - Search
Page last modified on March 12, 2008, at 09:03 AM