I'll respond here rather than down chain. OS fingerprinting shifted to the passive Ettercap, vs. the active nmap with ntop 3.0. nmap was removed because it must run as root - thus making ntop an attractive target for crackers. At the time, Ettercap seemed to offer better classification w/o requiring root or being an active probe.
Although different in technique, both active and passive scanning can give valid results. But, both techniques are only as good as their signature files... and they're subject to false IDs if intermediate devices (switches, routers, etc.) modify packets. Even seemingly local hosts may have their packets fragmented or altered en-route. Here's the header of the Ettercap file we distribute w/ ntop: ############################################################################ # # # ettercap -- etter.passive.os.fp -- passive OS fingerprint database # # # # Copyright (C) 2001-2003 ALoR & NaGA # # # # This program is free software; you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation; either version 2 of the License, or # # (at your option) any later version. # # # ############################################################################ # # # Last updated on : $Date: 2003/07/08 16:05:12 $ # # Total entries : 1279 # # # ############################################################################ # # # The fingerprint database has the following structure: # # # # WWWW:MSS:TTL:WS:S:N:D:T:F:LEN:OS # # # # WWWW: 4 digit hex field indicating the TCP Window Size # # MSS : 4 digit hex field indicating the TCP Option Maximum Segment Size # # if omitted in the packet or unknown it is "_MSS" # # TTL : 2 digit hex field indicating the IP Time To Live # # WS : 2 digit hex field indicating the TCP Option Window Scale # # if omitted in the packet or unknown it is "WS" # # S : 1 digit field indicating if the TCP Option SACK permitted is true # # N : 1 digit field indicating if the TCP Options contain a NOP # # D : 1 digit field indicating if the IP Don't Fragment flag is set # # T : 1 digit field indicating if the TCP Timestamp is present # # F : 1 digit ascii field indicating the flag of the packet # # S = SYN # # A = SYN + ACK # # LEN : 2 digit hex field indicating the length of the packet # # if irrilevant or unknown it is "LT" # # OS : an ascii string representing the OS # # # # IF YOU FIND A NEW FINGERPRING, PLEASE MAIL IT US WITH THE RESPECTIVE OS # # or use the appropriate form at: # # http://ettercap.sourceforge.net/index.php?s=stuff&p=fingerprint # # # # TO GET THE LATEST DATABASE: # # # # http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/~checkout~/ettercap/ # # ettercap/etter.passive.os.fp?rev=HEAD&content-type=text/plain # # # ############################################################################ Notice TWO things - one the date (but that IS the latest version) and two the range of fields in a fingerprint. Now there are - typically - enough 'random' differences in the signature of various OSes to enable reasonably accurate determination, but not always. Many versions of an OS can have the same fingerprint, or a seemingly minor patch can cause a different fingerprint. It's also possible for very different OSes to have the same fingerprint. If you look further into the Ettercap file you will see how similar and how different things are. Look for the # of signatures for various versions of, say, "Windows 2000" - I make it 133. Are all of 'em righteous? Probably not... However, ANY fingerprinting technology must: * Keep the database up to date and * Be cleansed (so that OSes are identified in approx the same way. Not Novell xxxxx v4.0 for one fp and xxxxx v4.5 (Novell) for another version, etc.) Unfortunately, neither of these seems to be happening w/ Ettercap. Anyway, you can always unzip the ettercap file, add your own fingerprints and zip it back up. That's the reason the fingerprinting page shows the unknown fingerprint values... -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Crowe, Tom > Sent: Tuesday, April 06, 2004 2:25 PM > To: [EMAIL PROTECTED] > Subject: [Ntop] NTOP v3 OS Fingerprinting > > > Anyone else find that OS fingerprinting is wrong? I am using NTOP v3 > April 5th build and it's recognizing all of my machines as Windows 2000 > Pro and they are all Windows XP Pro(few exceptions). > > Just curious if this is a bug. > > Thanks, > Tom > > > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
