Nmap OS fingerprinting

Operating System Fingerprinting(-O) Operation:

before the OS fingerprinting process begins, nmap performs a normal ping and scan. during the nmap scan, nmap determines device availability and categorizes the ports on the remote device as open,closed, or filtered.

The OS fingerprinting process consists of an operating system probe, followed by series of TCP handshakes that are used for testing responses to the TCP uptime measurement options, TCP sequence predictabilities, and IP identification sequence generation.

Nmap uses support file named nmap-os-fingerprinting for determining the os based upon the received information.

the information in nmap support file is as follows:

nmap-os-fingerprints:Fingerprint:

references the name of the operating system fingerprint, and this info is displayed on the "OS details"

nmap-os-fingerprints:Class

The class line is a combination of four variables.

manufacturer | Os name | version | Device type

nmap-os-fingerprints:TSeq

The TSeq line contains the fingerprint information for TCP Sequence Prediction. This is the fingerprint that nmap uses to determine if initial sequence numbers (ISNs) can be predicted based on past results.

TSeq: The class Attribute

this attribute refers to the predictability of a remote device's TCP initial Sequence number. Many of these class attributes alos include more detailed attributes to assist nmap in matching a fingerprint.

class=c

the ISN is the same value with every SYN/ACK.

class=64k:

a fingerprint with class=64 describes a device that have an initial sequence number that increases by 64,00 with each SYN/ACK

Class=i800

these i800 devices have ISNs that increase by a fixed increment of 800 with each SYN/ACK

Class=TD

some systems, including windows based devices, increase the initial sequence number by a fixed amount during a specific time period . TD = time dependent.

Class=RI

the random increments class describes a series of ISN that increment, but there is no method of predicting the sequence number.

class=TR

If the initial sequence numbers are shown to be completely random, they are fingerprinted with the truly random (TR) class.

TSeq: The IPID Attribute

The IPID attribute refers to the IP identification bytes in the IP header. These values provide important information, since the IPID can be used for non-standard purposes. Nmap’s idlescan is an example of how a predictable IPID can have unintended uses.

IPID=C In rare instances, some systems provide IPIDs that are always a constant (C) number.

•IPID=I A system matching the Incremental (I) fingerprint increases the IPID by a standard increment with each sent packet.

•IPID=BI The broken incremental (BI) fingerprint refers to a system (usually Windows-based) that increases by 256 each time a packet is sent. This is probably caused by an unintentional error in Microsoft’s IP stack, but it’s still a predictable error.

•IPID=RPI The random positive integral (RPI) fingerprint is based on an IPID that increases each time a packet is sent, but the increase is by an apparently random amount.

•IPID=RD Random distributions (RD) are fingerprint references that identify IPIDs that increase or decrease randomly each time a packet is sent.

•IPID=Z In some cases, the IPID will always be a zero (Z) value.

TSeq: Timestamp Option Sequencing

TSeq: Timestamp Option Sequencing The TCP timestamp option is a standard method of calculating round-trip time between stations, documented in RFC 1323. However, this exact change in timestamp values will vary between operating systems.

•TS=0 If the returned timestamp is zero, nmap categorizes it as a zero (0) TCP timestamp sequence.

•TS=2HZ A timestamp sequence that increases twice in one second is defined as 2HZ. Nmap uses the abbreviation for hertz, HZ, to reference the number of frequencies per cycle. In this case, HZ refers to the number of timestamps incremented per second.

•TS=100HZ If a timestamp increases by 100 every second, it’s assigned a TS reference of 100HZ.

•TS=1000HZ An increase of one thousand timestamps per second is categorized as 1000HZ.

•TS=U If any remote device does not return a timestamp, it’s fingerprinted as an unsupported system (U).

nmap-os-fingerprints: The Port Unreachable Test (PU):