SinFP, part II : comparison with Nmap 4.20

Here is the update of my previous test of SinFP.

I compared then the output of SinFP and Nmap on different machines, and found out that SinFP made a slightly better job than Nmap in OS detection, though it is not the primary goal of Nmap whereas it is the one of SinFP.

However, I made a mistake that the author of SinFP made me aware of.

I conducted the tests of Nmap using the package of my distribution, thinking it was the latest one.

Actually, it was only the version 4.10. Moreover, the current version, 4.20, brought up a new OS detection engine.

Therefore, a new test with version 4.20 was absolutely needed.

I took the source of Nmap 4.20 and compiled it.

First, I just rescanned the same machines with Nmap 4.20 and compared them with the corresponding output of SinFP.

I also added a new test, to demonstrate what SinFP is made for. I always use :

$ nmap -sS -O -PI -PT $IP

and

$ sinfp.pl -i $IP -p $PORT

.

FREEBSD 6.1, open port with Netcat

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-19 11:25 CET
Interesting ports on 192.168.0.3:
Not shown: 1696 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: FreeBSD 6.X
OS details: FreeBSD 6.1-RELEASE through 6.2-BETA3 (x86)
Uptime: 0.242 days (since Tue Dec 19 05:37:30 2006)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 18.289 seconds

SinFP

IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.0
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.1
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 7.0

Conclusion

We can say this is a draw.

Windows 2000 server, various open port, real services

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-19 11:29 CET
Interesting ports on 192.168.0.20:
Not shown: 1674 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
42/tcp   open  nameserver
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
443/tcp  open  https
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1026/tcp open  LSA-or-nterm
1029/tcp open  ms-lsa
1112/tcp open  msql
1723/tcp open  pptp
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3372/tcp open  msdtc
5800/tcp open  vnc-http
5900/tcp open  vnc
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000, SP0, SP1, or SP2
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 3.735 seconds

SinFP

IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000

Conclusion

Another draw

Debian Sarge (2.4 kernel), various open port, real services

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-19 11:33 CET
Interesting ports on 192.168.0.5:
Not shown: 1690 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
199/tcp open  smux
907/tcp open  unknown
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose|WAP|storage-misc
Running: Linux 2.4.X, Linksys Linux 2.4.X, Asus Linux 2.4.X, Maxtor Linux 2.4.X
OS details: Linux 2.4.20 - 2.4.32, Linux-based embedded device (Linksys WRT54GL WAP, Buffalo AirStation WLA-G54 WAP, Maxtor Shared Storage Drive, or Asus Wireless Storage Router)
Uptime: 0.392 days (since Tue Dec 19 02:09:54 2006)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 3.432 seconds

SinFP


IPv4: HEURISTIC0/P1P2P3: GNU/Linux: Linux: 2.4.x

Conclusion

Draw again (note that the OS details are not correct)

Debian Etch (2.6 kernel), various open ports with real services

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-24 01:19 CET
Interesting ports on mars.int.jcbnet.org (192.168.1.10):
Not shown: 1684 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
993/tcp  open  imaps
995/tcp  open  pop3s
2000/tcp open  callbook
2500/tcp open  rtsserv
3000/tcp open  ppp
5432/tcp open  postgres
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.12 (x86)
Uptime: 37.392 days (since Thu Nov 16 15:55:38 2006)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 3.354 seconds

SinFP

IPv4: HEURISTIC0/P1P2: GNU/Linux: Linux: 2.6.x</strong>

Conclusion

Draw always

Debian NAT box

Now, it is time to test SinFP in the condition it is aimed at : a NAT environement.

For this test, I took the debian box and set NAT (should say PAT) for 2 ports with iptables :

$ echo « 1 » &gt; /proc/sys/net/ipv4/ip_forward
$ iptables -t nat -A PREROUTING -p  --dport 21 -j DNAT –to 192.168.1.20
$ iptables -t nat -A PREROUTING -p  --dport 800 -j DNAT –to 192.168.1.115

The 192.168.1.20 is the Windows 2000 server machine, with the IIS FTP server running.

The 192.168.1.115 is the FreeBSD box, having Netcat listening on the port 800.

Doing that, we expect Nmap to be lost as it considers the target is a single machine. Will it detect Linux, FreeBSD or Windows ?

Let’s try :

$ nmap -sS -O -PI -PT 192.168.1.110

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-24 01:01 CET
Interesting ports on 192.168.1.110:
Not shown: 1688 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
199/tcp open  smux
618/tcp open  unknown
800/tcp open  mdbs_daemon
MAC Address: xx:xx:xx:xx:xx:xx
No OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.20%D=12/24%OT=21%CT=1%CU=37629%PV=Y%DS=1%G=Y%M=0012F0%TM=458DC3
OS:56%P=i686-pc-linux-gnu)SEQ(SP=82%GCD=1%ISR=98%TI=I%II=I%SS=O%TS=0)SEQ(SP
OS:=8C%GCD=1%ISR=97%TI=I%II=I%SS=O%TS=0)SEQ(SP=8B%GCD=1%ISR=98%TI=I%II=I%SS
OS:=O%TS=0)SEQ(SP=88%GCD=1%ISR=98%TI=I%II=I%SS=O%TS=0)SEQ(SP=8B%GCD=1%ISR=9
OS:8%TI=I%II=I%SS=O%TS=0)OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4N
OS:W0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=FAF
OS:0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y%T=7F%W=FAF0%O=M5B
OS:4NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=7F%W=FAF0%S=O%A=S+%F=AS%O=M5B4
OS:NW0NNT00NNS%RD=0%Q=)T4(R=Y%DF=N%T=7F%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%D
OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40
OS:%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%TOSI=S%CD=S%SI=S%DLI=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 13.061 seconds</blockquote>
Indeed, Nmap could not determine the system and ask me to submit the fingerprint to improve the signature database.

In such a case, SinFP should be able to detect the systems on each port :

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.110 -p 21

P1: B11113 F0x12 W64240 O0204ffff M1460
P2: B11113 F0x12 W64240 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000
$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.110 -p 22

P1: B10113 F0x12 W5840 O0204ffff M1460
P2: B10113 F0x12 W5792 O0204ffff0402080affffffff4445414401030300 M1460
P3: B10120 F0x04 W0 O0 M0

IPv4: HEURISTIC0/P1P2P3: GNU/Linux: Linux: 2.4.x

[sourcecode language="text"]$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.110 -p 800

P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303010101080affffffff4445414404020000 M1460
P3: B11120 F0x04 W0 O0 M0

IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.0
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.1
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 7.0

Correct. Now we have a good picture of the target. A big evidence that the two tools are complementary, isn’t it ?

Conclusion

Well, Nmap did a lot improved, indeed !

With rather common systems, we have a draw  between SinFP and Nmap. It would be interesting to test more esoteric OS, but I can’t for now.

So, Nmap or SinFP ? Of course, you should use both !

Nmap will give you a quick and stealth overview of the open port of the target. Then, scan each port to check if it is a single machine or if there is some NAT activated.
In case of NAT, SinFP will give you a quite precise idea of what is running behind.  Anyway, matching the outputs of both Nmap and SinFP will provide you with much more interesting data.

Thanks again to the authors of these nice tools.

SinFP : http://www.gomor.org
Nmap : http://insecure.org/nmap/