4.01 is Now Available

Posted Feb 16, 2006 7:29 UTC (Thu) by Ross (guest, #4065)
In reply to: 4.01 is Now Available by fyodor
Parent article: A look at nmap 4.0

This probably isn't the best forum to ask, but I've always wondered why nmap doesn't look at ICMP formatting for use in OS detection. Reportedly the way the original packets are quoted varies widely. Of course sometimes ICMP is blocked, but when it is not this might help disambiguate certain cases (or cases where people are using firewall rules to frustrate fingerprinting based on TCP option handling).

to post comments

It already does to some degree

Posted Feb 16, 2006 7:55 UTC (Thu) by fyodor (guest, #3481) [Link]

Nmap already does look at various aspects of ICMP port unreachable replies. These tests can be seen in the "PU" fingerprint test line. Here is an example, from the Linux 2.4.7 fingerprint:

PU(DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

This means that in the ICMP response, the don't fragment bit was not set, the ToS byte is 0xC0, the total length (tells you how much of the original packet was echoed) is 164, the TTL is 148, the ID and IP checksum of the initial packet were returned uncorrupted, the UDP length field in the echod header was 134, and the data from that UDP packet was returned uncorrupted (but possibly truncated). More details can be found in my OS fingerprinting article.

But maybe we could glean even more information from these ICMP packets. Our current proposed new system is here, and I welcome ideas for new tests to add.

-Fyodor