December 9th, 2006 04:14 AM
OS Detection -- Scanner Comparison
Recently I've been more and more interested in OS Detection...
Years ago I toyed with ICMP-based OS Detection, and put my work into a small bash script that could detect major operating systems with a small number of ICMP packets (something I may implement again, this time as a python script)...
Anyways... I follow most of the OS Detection software out there.. p0f, xprobe, SinFP, nmap, etc... and I've always been a fan of nmap... I tried SinFP when it was first released and I wasn't impressed... However, after a blog post mentioning this Gomor, the author of SinFP, sent me an email asking me to test the latest version... I did some minor testing and was partially pleased with the results... I still thought nmap outperformed it in places.. This lead to some discussions and I did a more thorough test between nmap 4.03 (first gen nmap fingerprinting), nmap 4.20 (second gen nmap fingerprinting), and SinFP 2.x...
I've been in contact with both Gomor and Fyodor regarding these tests (both before and after performing them, and the scans were performed with their recommendations for best results)... I've also submitted a plethora of fingerprints to both of them as a result.
It was impressive to see.. Second Gen nmap OS Detection will be fairly impressive, once the database grows... Already I've seen some nice features (XP SP2, it actually reported that the Firewall was disabled, for example)..
I also found that from a non-technical standpoint nmap 4.03 outperformed SinFP... For example. SinFP detects XP SP2 as Windows 2000 or Windows XP, while nmap 4.03 detected it as Windows Server 2003 or XP SP2... Now from a service available, usability and general "exploits available"... I find that XP SP2 is usually more in line with Server 2003 than it is with 2000... So for that reason, why XP and 2000 may have a more similar TCP Stack... I find the nmap comparison more useful.
That being said SinFP currently (due to databases) outperforms nmap 4.20... I expect to see this change shortly
For those interested in the blog post and any ensuing conversation check out:
The Follow Up <-- I prefer this one.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".