Determine the remote operating system

FIN Probe-send a FIN packet (or any data packet without an ACK or SYN flag set)
To an open port and wait for a response. RFC793 defines the standard behavior as "no ".
Yes, but operating systems such as MS Windows, BSDi, CISCO, HP/UX, MVS, and IRIX
The system will respond to a RESET package. Most detectors use this technology.

BOGUS (counterfeit) Flag bit detection-as far as I know, Queso is the first to use this smarter Technology
Detector. It sets an undefined TCP "flag" in the TCP Header of a SYN packet"
(64 or 128 ). Linux kernels earlier than version 2.0.35 will keep this
Mark, but other operating systems do not seem to have this problem. However, some operating systems
When a SYN + BOGUS packet is received, the connection is reset. Therefore, this method can be compared
Effectively identifies the operating system.

Tcp isn sampling-the principle is to find the initial TCP connection in the response of the operating system to the connection request
Features of the initial serial number. Currently, the categories that can be distinguished include the traditional 64 K (old UNIX System
Use), random addition (new versions of Solaris, IRIX, FreeBSD, Digital
UNIX, Cray, and many other systems), true "random" (Linux. * and more
Operating systems such as later versions, OpenVMS, And AIX. Windows Platform
(There are other platforms) the time-based ISN will
Changes have a relatively fixed growth. Needless to say, the most vulnerable to attacks is, of course, the old
Type 64 K. What we like most is, of course, "fixed" ISN! Some machines
Always use the same ISN, such as some 3Com hubs (use 0x83) and Apple
LaserWriter printer (0xC7001 ).

Based on the ISN changes, the maximum number of common appointments, and other traceable rules
To make these categories more detailed and accurate.

"No fragmentation" flag bit-Many operating systems gradually begin to set IP addresses in the packets they send
Segment (no fragments) "bit. This is good for improving transmission performance (although sometimes it is annoying)
-- This is why nmap does not perform fragment detection on the Solaris System ). However
Not all operating systems have this setting, and it may not always be used,
Therefore, the operating system of the target host can be collected by paying attention to the settings of this flag.
.

TCP initialization window -- check the window size of the returned data packet. Previous detectors only pass through
The non-zero "window" value of the RST packet is identified as "originated from BSD 4.4 ". Like queso
And nmap new detectors will record the exact window value, because the window
The data type has a relatively stable value. This kind of probe can provide a lot of useful information, because
For some systems, special window values are always used (for example, I know that AIX is unique
Operating system that uses the 0x3F25 window value ). In the TCP
In the stack, the Windows used by Microsoft are always 0x402E. What's more interesting is that this number
The value is also used by OpenBSD and FreeBSD.

ACK value -- maybe you think the ACK value is always very standard, but in fact the operating system's real value in the ACK Field
It is also different. For example, if you want to send a FIN | PSH |
URG package, Many operating systems will set the ACK value to the ISN value, but Windows and some stupid
The stupid printer is set to seq + 1. If SYN is sent to the opened port | FIN | URG |
In the PSH package, the Windows return value will be very uncertain. Sometimes it is the seq serial number value,
Is S ++, and sometimes the return is a seemingly random value. We suspect that
What MS can always write this inexplicable code.

ICMP error message query-some (SMART) operating systems use RFC 1812 to query certain types
The error message sending frequency is limited. For example, Linux kernel (in net/ipv4/
Icmp. h) limit the number of times that "the target cannot be reached" is sent to 80 times every 4 seconds.
This limit is reduced by 1/4 seconds. One test method is to send data to a high-end random UDP port.
Send data packets in batches, and calculate the number of "Destination inaccessible" data packets received.
In nmap, only UDP port scanning uses this technology. This method of operating system Probe
It takes a little longer because a large number of data packets need to be sent and wait for their return.
This data packet processing method will also affect network performance to some extent.

ICMP information reference-RFC defines some ICMP error message formats. If a port cannot be reached
Information, almost all operating systems only send back IP request header + 8 bytes length package,
Solaris returns a slightly longer package, while Linux returns a longer package. In this way, even
The operating system does not listen to any ports, and nmap may still determine Linux and
The host of the Solaris operating system.

ICMP error message echo integrity-as we mentioned earlier, the machine must follow the received data
The packet returns "the port is not reachable" (if so. Some Operating Systems
The request header will be messed up during initialization, so that when you receive such data packets
Abnormal. For example, the "total length" field in the IP package returned by AIX and BSDI will
It is set to 20 bytes (too long ). Some BSDI, FreeBSD, OpenBSD,
The ULTRIX and VAX operating systems even modify the ip id values in the request header. In addition, because
Some systems (such as AIX and FreeBSD)
) The returned data packet check is incorrect or 0. Sometimes this happens
UDP packet inspection. In general, nmap uses nine different ICMP error information probes.
Test Technology to differentiate different operating systems.

Service type (TOS)-For ICMP "port not reachable" information, the service class of the returned package
Type (TOS) Value Check, almost all operating systems use the ICMP Error Type
0, while Linux uses 0xC0.

Fragment processing-different operating systems use different methods to process overlapping IP segments.
Some use new content to overwrite old content, while others use old content as the priority. Yes
Many probe methods can determine how these packages are reorganized to help determine operations
System type.

TCP option -- this is one of the most effective methods to collect information. The reason is:

1) They are generally "optional", so not all operating systems use
They.
2) If the operating system supports
With these options, these tags are also set in the returned package.
3) You can set multiple options in the data packet at a time to increase the accuracy of the test.
Degree.

Nmap sets the following options in almost every test packet:

Window Scale = 10; NOP; Max Segment Size = 265; Timestamp; End of Ops;

When a returned packet is received, check which options are returned, which are the target operating system.
Supported options. Some operating systems (such as the newer version of FreeBSD) support the above
Some (such as Linux 2.0.x) are not supported. Linux 2.1.x
The kernel supports all the above options.

If several operating systems support the same option, you can use the option value to partition
Points. For example, if a small MSS value is sent to a Linux machine
The MSS value is returned, while other systems return different values.

What if the same options are supported and the returned values are the same? You can still use
The order of the return options is differentiated. If the Solaris system returns 'nntnwme ', it indicates:

For Linux 2.1.122, the same options and return values are the same,
The order is different: MENNTNW.

There are no other operating system probe tools using the TCP option, but it is indeed very effective!

In addition, some other options can be used for testing, such as T/TCP support.

Note: there are at least two attack detection methods. They can cause denial-of-service attacks, which is also the main reason nmap does not implement these methods.

NMAP detection details and results

We have discussed a variety of techniques for operating system type detection (apart from some aggressive methods ). These technologies are all implemented in the nmap scanner. The Nmap scanner collects the features of many operating system ports when they are opened and closed. It supports popular Linux, * BSD, and Solaris 2.5.1/2.6 operating systems.

The current version of nmap scanner reads Operating System feature templates from a file. The following is an example:

FingerPrint IRIX 6.2-6.4 # Thanks to Lamont granquest
TSeq (Class = i800)
T1 (DF = N % W = C000 | EF2A % ACK = S ++ % Flags = AS % Ops = MNWNNT)
T2 (Resp = Y % DF = N % W = 0% ACK = S % Flags = AR % Ops =)
T3 (Resp = Y % DF = N % W = C000 | EF2A % ACK = O % Flags = A % Ops = NNT)
T4 (DF = N % W = 0% ACK = O % Flags = R % Ops =)
T5 (DF = N % W = 0% ACK = S ++ % Flags = AR % Ops =)
T6 (DF = N % W = 0% ACK = O % Flags = R % Ops =)
T7 (DF = N % W = 0% ACK = S % Flags = AR % Ops =)
PU (DF = N % TOS = 0% IPLEN = 38% RIPTL = 148% RID = E % RIPCK = E % UCK = E % ULEN = 134% DAT = E)

Let's take a look at the meaning of each line:

> FingerPrint IRIX 6.2-6.3 # Thanks to Lamont granquest

It indicates that this is an IRIX 6.2-6.3 Operating System feature, and the annotation points out that this feature is provided by Lamont grancraftsmanship.

> TSeq (Class = i800)

It indicates that the ISN feature is "i800 class", that is, each new serial number is an integer multiple of 800 greater than the previous serial number.

> T1 (DF = N % W = C000 | EF2A % ACK = S ++ % Flags = AS % Ops = MNWNNT)

T1 represents test1. This test sends a SYN packet with multiple TCP options to the opened port. DF = N indicates
The "Don't fragment" bit must not be set. W = C000 | EF2A indicates that the window value of the returned package must be 0xC000 or 0xEF2A. ACK = S ++ indicates that the ACK value of the returned package must be the initialization serial number plus 1. Flags = AS indicates that the ACK and SYN mark bits of the returned packet must be set. Ops = MNWNNT indicates that the TCP option of the returned packet and its sequence must be:

> T2 (Resp = Y % DF = N % W = 0% ACK = S % Flags = AR % Ops =)

Test 2 (second Test) sends a NULL (NULL) packet with the same TCP option to the open port. Resp = Y indicates that the returned package must be received. Ops = indicates that all TCP options in the returned packet must not be set. '% Ops =' matches any TCP option.

> T3 (Resp = Y % DF = N % W = 400% ACK = S ++ % Flags = AS % Ops = M)

Test 3 (third Test) sends a SYN | FIN | URG | PSH packet with TCP options to the open port.

> T4 (DF = N % W = 0% ACK = O % Flags = R % Ops =)

This is an ACK packet sent to the open port.