Hostcheck is a simple Perl script that can be useful to quickly check if a list of host is up.
It just read a host file and check if the host are available doing a ping test or trying to open a socket.

Nothing great, but it may help to quickly check that most of things are right after a network change, for instance.
Because we want to test many hosts, and not to scan, the pace is fast so it may not be 100% reliable. The idea is to see roughly is the connectivity is correct or if your whole LAN is down.
It uses colors and is easy to read, so it might be good to show to your manager ! :)

I hope it will be useful. More info and download link are there.

I compared then the output of SinFP and Nmap on different machines, and found out that SinFP made a slightly better job than Nmap in OS detection, though it is not the primary goal of Nmap whereas it is the one of SinFP.

However, I made a mistake that the author of SinFP made me aware of.

I conducted the tests of Nmap using the package of my distribution, thinking it was the latest one.

Actually, it was only the version 4.10. Moreover, the current version, 4.20, brought up a new OS detection engine.

Therefore, a new test with version 4.20 was absolutely needed.

I took the source of Nmap 4.20 and compiled it.

First, I just rescanned the same machines with Nmap 4.20 and compared them with the corresponding output of SinFP.

I also added a new test, to demonstrate what SinFP is made for. I always use :

$ nmap -sS -O -PI -PT $IP 

and

$ sinfp.pl -i $IP -p $PORT

.

FREEBSD 6.1, open port with Netcat

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-19 11:25 CET
Interesting ports on 192.168.0.3:
Not shown: 1696 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: FreeBSD 6.X
OS details: FreeBSD 6.1-RELEASE through 6.2-BETA3 (x86)
Uptime: 0.242 days (since Tue Dec 19 05:37:30 2006)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 18.289 seconds

SinFP

IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.0
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.1
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 7.0

Conclusion

We can say this is a draw.

Windows 2000 server, various open port, real services

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-19 11:29 CET
Interesting ports on 192.168.0.20:
Not shown: 1674 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
42/tcp   open  nameserver
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
443/tcp  open  https
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
1026/tcp open  LSA-or-nterm
1029/tcp open  ms-lsa
1112/tcp open  msql
1723/tcp open  pptp
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3372/tcp open  msdtc
5800/tcp open  vnc-http
5900/tcp open  vnc
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000, SP0, SP1, or SP2
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 3.735 seconds

SinFP

IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000

Conclusion

Another draw

Debian Sarge (2.4 kernel), various open port, real services

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-19 11:33 CET
Interesting ports on 192.168.0.5:
Not shown: 1690 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
199/tcp open  smux
907/tcp open  unknown
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose|WAP|storage-misc
Running: Linux 2.4.X, Linksys Linux 2.4.X, Asus Linux 2.4.X, Maxtor Linux 2.4.X
OS details: Linux 2.4.20 - 2.4.32, Linux-based embedded device (Linksys WRT54GL WAP, Buffalo AirStation WLA-G54 WAP, Maxtor Shared Storage Drive, or Asus Wireless Storage Router)
Uptime: 0.392 days (since Tue Dec 19 02:09:54 2006)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 3.432 seconds

SinFP

IPv4: HEURISTIC0/P1P2P3: GNU/Linux: Linux: 2.4.x

Conclusion

Draw again (note that the OS details are not correct)

Debian Etch (2.6 kernel), various open ports with real services

Nmap

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-24 01:19 CET
Interesting ports on mars.int.jcbnet.org (192.168.1.10):
Not shown: 1684 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
993/tcp  open  imaps
995/tcp  open  pop3s
2000/tcp open  callbook
2500/tcp open  rtsserv
3000/tcp open  ppp
5432/tcp open  postgres
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.12 (x86)
Uptime: 37.392 days (since Thu Nov 16 15:55:38 2006)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 3.354 seconds

SinFP

IPv4: HEURISTIC0/P1P2: GNU/Linux: Linux: 2.6.x</strong>

Conclusion

Draw always

Debian NAT box

Now, it is time to test SinFP in the condition it is aimed at : a NAT environement.

For this test, I took the debian box and set NAT (should say PAT) for 2 ports with iptables :

$ echo « 1 » > /proc/sys/net/ipv4/ip_forward
$ iptables -t nat -A PREROUTING -p  --dport 21 -j DNAT –to 192.168.1.20
$ iptables -t nat -A PREROUTING -p  --dport 800 -j DNAT –to 192.168.1.115

The 192.168.1.20 is the Windows 2000 server machine, with the IIS FTP server running.

The 192.168.1.115 is the FreeBSD box, having Netcat listening on the port 800.

Doing that, we expect Nmap to be lost as it considers the target is a single machine. Will it detect Linux, FreeBSD or Windows ?

Let’s try :

$ nmap -sS -O -PI -PT 192.168.1.110

Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-24 01:01 CET
Interesting ports on 192.168.1.110:
Not shown: 1688 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
111/tcp open  rpcbind
113/tcp open  auth
199/tcp open  smux
618/tcp open  unknown
800/tcp open  mdbs_daemon
MAC Address: xx:xx:xx:xx:xx:xx
No OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=4.20%D=12/24%OT=21%CT=1%CU=37629%PV=Y%DS=1%G=Y%M=0012F0%TM=458DC3
OS:56%P=i686-pc-linux-gnu)SEQ(SP=82%GCD=1%ISR=98%TI=I%II=I%SS=O%TS=0)SEQ(SP
OS:=8C%GCD=1%ISR=97%TI=I%II=I%SS=O%TS=0)SEQ(SP=8B%GCD=1%ISR=98%TI=I%II=I%SS
OS:=O%TS=0)SEQ(SP=88%GCD=1%ISR=98%TI=I%II=I%SS=O%TS=0)SEQ(SP=8B%GCD=1%ISR=9
OS:8%TI=I%II=I%SS=O%TS=0)OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4N
OS:W0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=FAF
OS:0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y%T=7F%W=FAF0%O=M5B
OS:4NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=7F%W=FAF0%S=O%A=S+%F=AS%O=M5B4
OS:NW0NNT00NNS%RD=0%Q=)T4(R=Y%DF=N%T=7F%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%D
OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40
OS:%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%TOSI=S%CD=S%SI=S%DLI=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 13.061 seconds</blockquote>
Indeed, Nmap could not determine the system and ask me to submit the fingerprint to improve the signature database.

In such a case, SinFP should be able to detect the systems on each port :

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.110 -p 21

P1: B11113 F0x12 W64240 O0204ffff M1460
P2: B11113 F0x12 W64240 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.110 -p 22

P1: B10113 F0x12 W5840 O0204ffff M1460
P2: B10113 F0x12 W5792 O0204ffff0402080affffffff4445414401030300 M1460
P3: B10120 F0x04 W0 O0 M0

IPv4: HEURISTIC0/P1P2P3: GNU/Linux: Linux: 2.4.x

[sourcecode language="text"]$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.110 -p 800

P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303010101080affffffff4445414404020000 M1460
P3: B11120 F0x04 W0 O0 M0

IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.0
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.1
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 7.0

Correct. Now we have a good picture of the target. A big evidence that the two tools are complementary, isn’t it ?

Conclusion

Well, Nmap did a lot improved, indeed !

With rather common systems, we have a draw  between SinFP and Nmap. It would be interesting to test more esoteric OS, but I can’t for now.

So, Nmap or SinFP ? Of course, you should use both !

Nmap will give you a quick and stealth overview of the open port of the target. Then, scan each port to check if it is a single machine or if there is some NAT activated.
In case of NAT, SinFP will give you a quite precise idea of what is running behind.  Anyway, matching the outputs of both Nmap and SinFP will provide you with much more interesting data.

Thanks again to the authors of these nice tools.

SinFP : http://www.gomor.org
Nmap : http://insecure.org/nmap/

Its goal is to help you detecting what operating system a remote machine is running.
Well, you will tell me that we already have many programs that does this job, starting from the so famous nmap… but the approach is quite different this time.

Let me explain in a short, but I hope clear, version.

A program like Nmap usually scan all the open ports of a remote IP address. According to the answers it gets back on each port, and using a signature database, nmap can identify the target OS.

Sounds good. But actually, SinFP shows there is a better way to do.

The author of SinFP got to the conclusion that nowadays, most of the IP addresses are managed by a NAT / PAT equipement (firewall, router). It means that behind a single public IP address, there is not only the firewall itself, but several machines and systems for each open service. For instance, you will have the HTTP port redirected to a Windows IIS machine, the SMTP one to a Linux box, the DNS to a solaris server, and so on.

So obviously Nmap just can’t be so reliable in such a case. How trustful will its detection be if it finds a Postfix service and a IIS service running on the same address ?

The solution of SinFP is rather elegant. First, considering the NAT problem, it focuses on one port. So you are practically sure that you are on the final machine, just the proxy case is left.

On this port, it tries fingerprinting with its internal signature database. The way it does it makes all the strengh of SinFP.
It sends 3 requests, similar to any request generated by the system call connect() :

P1 = P2 without option
P2 = TCP SYN with options
P3 = TCP SYN-ACK

For your scan, you can also use only P2, for stealthiness.

Then it catches the answers to these requests and generate from them a single signature with some selected patterns.
Finally, it compares it with the signatures in its database. The mathematic model it uses is far too complex for me to explain, but just now it tries to find the closest signature as possible, accepting some variations due to specific configurations or network conditions.

You will get an answer like that :

IPv4: HEURISTIC0/P1P2P3 <detected OS>

It means that the signature matched all the requests, P1, P2 and P3. This result is the most reliable.

If you get P1P2, it means that the signature did not fully match the one in the database… but it is still pretty reliable, as we will see further.

As a final try, if there is still no exact signature, SinFP will try to modify the signature according to a transformation mask to get closer to an existing ones.

If you want to have more details on how it works, you should go the website of the author : http://www.gomor.org

But now, let’s have a quick and dirty test, comparing this tool with Nmap :

Debian Etch box (2.6 kernel), various open ports with real services

Nmap

$ nmap -sS -O -PI -PT 192.168.1.230

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-17 06:26
Interesting ports on xxx (192.168.1.230):
Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain

80/tcp open http
443/tcp open https
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11

SinFP

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.230 80

P1: B10113 F0x12 W5840 O0204ffff M1460
P2: B10113 F0x12 W5792 O0204ffff0402080affffffff4445414401030302 M1460
P3: B00000 F0 W0 O0 M0
IPv4: HEURISTIC0/P1P2: GNU/Linux: Linux: 2.6.x

Conclusion : SinFP gives the exact result (Linux 2.6.X) when Nmap is detecting a Linux box, nothing more.

FreeBSD 6.1, no open port

Nmap

$ nmap -sS -O -PI -PT 192.168.1.115

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-17 06:37 CET
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1679 scanned ports on 192.168.1.115 are closed
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: Apple Mac OS X 10.1.X, Apple Mac OS 8.X, FreeBSD 5.X|6.X
Too many fingerprints match this host to give specific OS details

SinFP

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.115 80

*** Cannot fingerprint a closed or filtered port

Conclusion : No surprise, SinFP can’t be tested on this point, since it applies to an open port (I wanted to check that you follow :D ). That is not the goal of SinFP to do differently. However, it was interesting to see that Nmap gives a answer. Not precise, but at least it guesses that it is a BSD kernel.

FreeBSD 6.1, open port with NetCat

Nmap

$ nmap -sS -O -PI -PT 192.168.1.115

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-17 06:56 CET
Interesting ports on 192.168.1.115:
Not shown: 1678 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: xx:xx:xx:xx:xx:xx
No exact OS matches for host </strong>(If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:
SInfo(V=4.10%P=i686-pc-linux-gnu%D=12/17%Tm=4584DC41%O=80%C=1%M=0012F0)
TSeq(Class=TR%IPID=I%TS=1000HZ)
T1(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)

SinFP

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.115 80

P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303010101080affffffff4445414404020000 M1460
P3: B11120 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.0
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 6.1
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 7.0

Conclusion : well, I was quite surprised. Nmap is totally lost. Why did it do a better job with no open port at all ? I haven’t searched yet, so if someone has a clue to explain well this pattern, please tell me. I have a feeling that it is because of the nmap port on FreeBSD, but I am not sure to be right.
SinFP does a pretty good job, all 3 patterns displayed concern FreeBSD from 6.0 to 7.0.

Debian Sarge (2.4 kernel), various open port, real services

Nmap

$ nmap -sS -O -PI -PT 192.168.1.110

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-17 06:46 CET

Interesting ports on 192.168.1.110:
Not shown: 1671 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
199/tcp open smux
443/tcp open https
907/tcp open unknown
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.4.0 - 2.5.20
Uptime 0.354 days (since Sat Dec 16 22:17:30 2006)

SinFP

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.110 443

P1: B10113 F0x12 W5840 O0204ffff M1460
P2: B10113 F0x12 W5792 O0204ffff0402080affffffff4445414401030300 M1460
P3: B10120 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: GNU/Linux: Linux: 2.4.x

Conclusion : Here I think we can consider that both Nmap and SinFP give the exact answer. This is a draw here.

Windows 2000 server, various open port, real services

Nmap

$ nmap -sS -O -PI -PT 192.168.1.20

Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-12-17 07:11 CET
Interesting ports on moon.int.jcbnet.org (192.168.1.20):
Not shown: 1656 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1026/tcp open LSA-or-nterm
1029/tcp open ms-lsa
1112/tcp open msql
1723/tcp open pptp
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3372/tcp open msdtc
5800/tcp open vnc-http
5900/tcp open vnc
MAC Address: xx:xx:xx:xx:xx:xx
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP

SinFP

$ /usr/local/sinfp/bin/sinfp.pl -i 192.168.1.20 5900

P1: B11113 F0x12 W64240 O0204ffff M1460
P2: B11113 F0x12 W64240 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000

Conclusion : SinFP is right and far more precise than Nmap.

As you can see, the results of SinFP are just fine for each of my tests. Ok, it was not the perfect test, it was rather quick and dirty, but personnally it is enough for me to be convinced. It will be from now one of my favorite tools.

When it comes to OS fingerprinting, SinFP makes a better job than Nmap. But we should not be hard on Nmap. They are different tools, and we actually should not have compared them directly. Nmap is an excellent port scanner for which OS detection is just an option, while SinFP focusses on it.

Its approach is new, ingenious and efficient.

I could not test SinFP on more systems for now, but I will update here if I can. You can also comment here if you find a system that could not be detected by SinFP. In that case, contact also the author of SinFP, sending him the new fingerprint.

The more signatures there will be, the more efficient this tool will be !

I did contact him, so I can tell you he is very reactive, helpful, and willing to improve his program.

SinFP : http://www.gomor.org