The nmap-os-fingerprints Support File
The nmap-os-fingerprints support file contains a definition of every operating system fingerprint that nmap recognizes. As new operating system fingerprints are created and released, this text file is simply updated with the new fingerprint definitions.
This is the definition for a Microsoft Windows XP SP2 operating system from the nmap-os-fingerprints file:
Fingerprint Microsoft Windows XP SP2 Class Microsoft | Windows | NT/2K/XP | general purpose TSeq(Class=TR%gcd=<6%IPID=I) T1(DF=Y%W=6360|805C|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=Y%W=6360|805C|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT) T4(DF=N%W=0%ACK=O%Flags=R%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Each operating system definition contains similarly formatted information. Each line contains information that contributes to the overall operating system fingerprint.
All of these attributes are documented below. This is the most comprehensive documentation of the operating system fingerprinting process available anywhere!
Fingerprint Microsoft Windows XP SP2
The first line in a fingerprint definition is labeled Fingerprint. This line references the name of the operating system fingerprint, and this information is displayed on the "OS Details:" entry on the nmap output:
OS details: Microsoft Windows XP SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
The Class line is a combination of four different variables. The structure of this line corresponds to:
Manufacturer | OS Name | Version | Device TypeIf one of these variables is unknown or does not apply, the variable is left blank. The first three variables are combined on the "Running:" line of the nmap output, and the last variable is used on the "Device type:" output line:
Device type: general purpose Running: Microsoft Windows NT/2K/XP
The TSeq line contains the fingerprint information for TCP Sequence Prediction. This is the fingerprint that nmap uses to determine if initial sequence numbers (ISNs) can be predicted based on past results:
TCP Sequence Prediction: Class=64K rule Difficulty=1 (Trivial joke)or
TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!)
Nmap clearly identifies when a TCP initial sequence number would be impossible to predict!
The Importance of TCP Sequence Prediction Analysis
If the TCP sequences of a remote device are understood, then that remote device is more susceptible to malicious activity such as TCP hijacking. TCP hijacking is a technique that allows a third-party to "interrupt" an existing TCP connection between two devices. The malicious third party can then masquerade as one of the original stations, allowing them to send unwanted information to the other device. A major technical aspect of the hijacking process is the ability of the attacking station to predict the TCP sequence numbers.