Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: OS fingerprinting technique

Re: OS fingerprinting technique

From: olivier courtay <olivier.courtay_at_intranode.com>
Date: Fri, 19 Apr 2002 14:40:21 +0200

Hello,

Lots of people want Ring patch for Nmap.
Please find enclosed the first release of Nmap patch.

In order to apply the patch, follow the instructions below:

        Install Libnet(1.0.2a) (www.packetfactory.net/Projects/Libnet)
        Install Libdnet(1.2) (libdnet.sourceforge.net)
        Get nmap-2.54BETA32.tgz source tarball(www.insecure.org)
        untar the source: tar zxvf nmap-2.54BETA32.tgz
        Go to the source directory nmap-2.54BETA32
        uncompress patch gunzip nmap-Ring.patch.gz in this directory.
        applied the Ring patch:
 
        patch -p 1 < nmap-Ring.patch
 
        if you have a Linux 2.4 kernel, edit the filter.h and follow
instructions.
 
        For installation, follow Nmap INSTALL file instructions
(./configure && make ).
 
        Use the --ring option when you call Nmap
        (example: nmap --ring -O 192.168.1.1)

We will be very happy to get your feedback on this technique.
Feel free to contact us at: ring_at_intranode.com

Regards,
Olivier

olivier courtay a écrit :
>
> Carefully studying the way TCP works, especially some timer value
> inside the TCP stack, we have derived on a new technique for remote OS
> detection, based on temporal response analysis.
>
> The idea is quite simple: send a TCP SYN packet to an open port on a
> remote system, and listen the different answers (usually successive
> SYN/ACK packets). By measuring the number of response, the delay
> between retries, and the optional presence of a "RST" packet after a
> few answers, we can easily recognize some operating systems.
> The nice thing is that it only required to send one packet on an open
> TCP port, which make this method really quiet.
>
> As a proof of concept, we also developed a standalone tool "RING"
> that will perform these testings and identifications, using a signature
> file.
>
> A patch for Nmap-2.54BETA32 is being prepared and should be released
> anytime soon
> At the moment, ring and nmap OS fingerprinting methods are launched
> simulteamously
> but results aren't merged for better accuracy.
> If you want to try this patch, please send me an
> email(ring_at_intranode.com).
>
> More information is available at:
> http://www.intranode.com/site/techno/techno_articles.htm
>
> The open source tool can be downloaded from:
> http://www.intranode.com/pdf/techno/ring-0.0.1.tar.gz
>
> The open source tool for Linux2.4 kernel can be downloaded from:
> http://www.intranode.com/pdf/techno/ring-0.0.1-Linux-2.4.tar.gz
>
> The full, 13 pages, white paper is available at:
> http://www.intranode.com/pdf/techno/ring-full-paper.pdf
>
> We will be very happy to get your feedback on this technique.
> Feel free to contact us at: ring_at_intranode.com
>
> Thanks,
> Olivier 

-- 
________________________________
Olivier  Courtay
Research Engineer 
tel: +33 (0) 223 455 524
fax: +33 (0) 223 455 501
mailto: olivier.courtay_at_intranode.com
http://www.intranode.com
Intranode Software Technologies
Security you can see.

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).

Received on Apr 19 2002
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos