Dit is G o o g l e 's cache van http://www.ini2.net/mel/snort_trace/osprint.html.
G o o g l e's cache is de momentopname die we van deze pagina hebben gemaakt toen we het web doorzochten.
De pagina kan ondertussen gewijzigd zijn. Klik hier voor de huidige pagina zonder selectie
Gebruik de volgende URL om deze pagina aan je Favorieten toe te voegen of ernaar te linken: http://www.google.com/search?q=cache:ZCwj59oTRGAC:www.ini2.net/mel/snort_trace/osprint.html+fingerprint+nmap&hl=nl&ie=UTF-8


Google heeft geen banden met de auteurs van deze pagina en is niet verantwoordelijk voor de inhoud ervan
Deze zoektermen werden geselecteerd: fingerprint nmap 

Nmap and Xprobe Fingerprint Analysis
Xprobe and Nmap Fingerprint Analysis

mel|spoonfork (mel@ini2.net) 31/10/2001 - my birthday tomorrow!

I wrote the following to illustrate how easy it is for IDS to identify 
Nmap OS detection, and the difficulty in detecting Xprobe OS detection.
While Xprobe would be my favorite OS detection tool, a lot of work 
needs to be done, especially when fingerprinting a given netblock. Xprobe does 
not ping the target, it will send UPD packet to all hosts within the 
given netblock. This can be used to identify Xprobe (but it is still difficult 
to distinguish Xprobe from other scanners). When fingerprinting a host that is 
known to be alive, Xprobe is very efficient and fast, compared to Nmap.

Thus, Xprobe is suitable to fingerprint hosts that are known to be alive.

Xprobe also sends a maximum of four datagrams to identify an OS. The trace 
shown at the bottom is a proof that Xprobe is extremely efficient, and
stealthy. A comparison with Nmap is also shown.

source (angel)
target (demon - OpenBSD-2.9)

Nmap OS Fingerprinting

*** SYN Scan (one SYN and one RST) ***
11:51:40.727500  angel.46341 > demon.ssh: S 3410453452:3410453452(0) win 3072
11:51:40.727500  demon.ssh > angel.46341: S 847208461:847208461(0) ack 3410453453 win 16384  (DF)
11:51:40.727500  angel.46341 > demon.ssh: R 3410453453:3410453453(0) win 0 (DF)

*** Starting OS detection ****
Packet 1: SYN and bit 9 (ECN-Echo is set)
Packet 2: No TCP flag is set
Packet 3: SYN, FIN and PSH is set

11:51:40.737500  angel.46348 > demon.ssh: S [ECN-Echo] 3742814339:3742814339(0) win 3072 
11:51:40.737500  angel.46349 > demon.ssh: . 3742814339:3742814339(0) win 3072 
11:51:40.737500  angel.46350 > demon.ssh: SFP 3742814339:3742814339(0) win 3072 urg 0 
11:51:40.737500  angel.46351 > demon.ssh: . 3742814339:3742814339(0) ack 0 win 3072 
11:51:40.737500  demon.ssh > angel.46348: S 1335562625:1335562625(0) ack 3742814340 win 16445  (DF)
11:51:40.737500  angel.46348 > demon.ssh: R 3742814340:3742814340(0) win 0 (DF)

11:51:40.737500  demon.ssh > angel.46350: S 1693929988:1693929988(0) ack 3742814340 win 16445  (DF)
11:51:40.737500  angel.46350 > demon.ssh: R 3742814340:3742814340(0) win 0 (DF)
11:51:40.737500  demon.ssh > angel.46351: R 0:0(0) win 16384 (DF)

11:51:40.737500  angel.46352 > demon.39599: S 3742814339:3742814339(0) win 3072 
11:51:40.737500  angel.46353 > demon.39599: . 3742814339:3742814339(0) ack 0 win 3072 
11:51:40.737500  demon.39599 > angel.46352: R 0:0(0) ack 3742814340 win 0 (DF)
11:51:40.737500  demon.39599 > angel.46353: R 0:0(0) win 0 (DF)

*** FIN and PSH to a closed UDP port ***

11:51:40.737500  angel.46354 > demon.39599: FP 3742814339:3742814339(0) win 3072 urg 0 
11:51:40.737500  demon.39599 > angel.46354: R 0:0(0) ack 3742814339 win 0 (DF)
11:51:40.747500  angel.46341 > demon.39599: udp 300
11:51:40.747500  demon > angel: icmp: 192.168.1.254 udp port 39599 unreachable

*** Sequence Number generation exercise to port 22 ***

11:51:40.747500  angel.46342 > demon.ssh: S 3742814340:3742814340(0) win 3072 
11:51:40.747500  demon.ssh > angel.46342: S 244213979:244213979(0) ack 3742814341 win 16445  (DF)
11:51:40.747500  angel.46342 > demon.ssh: R 3742814341:3742814341(0) win 0 (DF)

11:51:40.867500  angel.46343 > demon.ssh: S 3742814341:3742814341(0) win 3072 
11:51:40.867500  demon.ssh > angel.46343: S 1827609712:1827609712(0) ack 3742814342 win 16445  (DF)
11:51:40.867500  angel.46343 > demon.ssh: R 3742814342:3742814342(0) win 0 (DF)

11:51:40.987500  angel.46344 > demon.ssh: S 3742814342:3742814342(0) win 3072 
11:51:40.987500  demon.ssh > angel.46344: S 430013123:430013123(0) ack 3742814343 win 16445  (DF)
11:51:40.987500  angel.46344 > demon.ssh: R 3742814343:3742814343(0) win 0 (DF)

11:51:41.107500  angel.46345 > demon.ssh: S 3742814343:3742814343(0) win 3072 
11:51:41.107500  demon.ssh > angel.46345: S 1805934295:1805934295(0) ack 3742814344 win 16445  (DF)
11:51:41.107500  angel.46345 > demon.ssh: R 3742814344:3742814344(0) win 0 (DF)

11:51:41.227500  angel.46346 > demon.ssh: S 3742814344:3742814344(0) win 3072 
11:51:41.227500  demon.ssh > angel.46346: S 142942726:142942726(0) ack 3742814345 win 16445  (DF)
11:51:41.227500  angel.46346 > demon.ssh: R 3742814345:3742814345(0) win 0 (DF)

11:51:41.347500  angel.46347 > demon.ssh: S 3742814345:3742814345(0) win 3072 
11:51:41.347500  demon.ssh > angel.46347: S 1725913928:1725913928(0) ack 3742814346 win 16445  (DF)
11:51:41.347500  angel.46347 > demon.ssh: R 3742814346:3742814346(0) win 0 (DF)

Detecting OpenBSD-2.9 with Xprobe

Xprobe scan: Only one UDP packet is sent (default port: 32132). The OS is 
determined by examining the returned ICMP packet.

[root@angel bin]# ./xprobe demon
LOG: probing: demon
FINAL:[  OpenBSD 2.6-2.9 ]

12:11:01.377500 angel.30964 > demon.32132: udp 70 (DF)
12:11:01.377500 demon > angel: icmp: demon udp port 32132 unreachable

Detecting Windows 2000 with Xprobe

[root@angel bin]# ./xprobe gate
LOG: Target: gate
FINAL:[ Windows 2k. SP1, SP2/Windows XP ]

12:40:27.817500 angel.3039 > gate.32132: udp 70 (DF)
12:40:27.817500 gate > angel: icmp: gate udp port 32132 unreachable
12:40:27.817500 angel > gate: icmp: echo request (DF) [tos 0x6,ECT] 
12:40:27.817500 gate > angel: icmp: echo reply (DF)

Nmap: Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, 
Windows Millenium Edition v4.90.3000

Conclusion

Using Xprobe is definitely stealthier than Nmap. In the example above,
Nmap sends multiple TCP packet with different flags, where Xprobe sends 1 udp
packet to fingerprint an OpenBSD machine, and two packets to fingerprint
a Windows 2000 machine.