nmap-os-fingerprints: Test 1 (T1) through Test 7 (T7)
T1(DF=Y%W=6360|805C|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=Y%W=6360|805C|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT) T4(DF=N%W=0%ACK=O%Flags=R%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)Test 1 (abbreviated in the fingerprint as T1) through Test 7 (T7) refer to the fingerprints that result from seven frames sent to the remote device. Each test has a specific function, and the results of each test are correlated with the nmap-os-fingerprints file to match with the target station's operating system. The tests are very specific, and the packets received in reply are scrutinized for their identifiable response patterns.
Prior to running test 1 through test 7, nmap chooses an open port and a closed port to use for the appropriate tests. If only one of these two options is available, nmap provides a message regarding its ability to accurately fingerprint:
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP portThis is a description of the tests and a summary of the frame that is sent to the target:
T1: Test 1 sends a SYN frame with a mix of TCP options to an open port. These options consist of a window scale option of 10, a maximum segment size of 265, and a timestamp value of 1061109567.
T2: Test 2 sends a NULL TCP frame (no flags set) to an open port. This frame includes the same TCP options as those in Test 1.
T3: Test 3 sends a TCP frame with the SYN, FIN, PSH, and URG flags to an open port. This frame also includes the same TCP options as those found in test 1 and test 2.
T4: Test 4 sends a TCP ACK to the open port.
T5: Test 5 begins the fingerprint tests to the previously found closed port. This test sends a TCP SYN to the closed port.
T6: Test 6 sends a TCP ACK to the closed port.
T7: Test 7 sends a TCP frame with the FIN, PSH, and URG flags to the closed port.
The seven test fingerprints all follow the same syntax, although it's not a requirement for every test line to include every possible attribute. Each test fingerprint follows the same attribute order:
Resp: The fingerprint shows a Y if a response is received, and it displays an N if a response is not received.
DF: This fingerprint attribute specifies whether the "Don't Fragment" bit is set in the response frame.
W: The fingerprint displays the window size or sizes (separated by "|") expected in the response frame.
ACK: This attribute refers to the expected ACK value. This can display an S to mean the same sequence number that was sent in the test frame, or S++ if the reply includes the initial sequence's ACK number plus one. If an O is displayed, some other value was returned from the test frame.
Flags: The flags attribute displays the TCP flags that are enabled in the reply, in this order:
B = Bogus (the flag in the reply frame isn't a real TCP flag)
U = Urgent
A = Acknowledgement
P = Push
R = Reset
S = Synchronize
F = Final
Ops: The Ops attribute displays the TCP options that are enabled in the reply:
L = End of List
N = No Op
M = Maximum Segment Size
E = Echoed
W = Window Scale
T = Timestamp
nmap-os-fingerprints: The Port Unreachable Test (PU)
For the port unreachable test, nmap selects a closed port and sends a UDP frame. The ensuing ICMP port unreachable reply includes an "echo" of data from the originating packet. The ICMP port unreachable fingerprint compares these attributes:
DF = If the don't fragment bit is set, the fingerprint shows a Y. If the don't fragment bit is not set, the fingerprint shows an N.
TOS = The IP header's type of service (TOS) byte is compared to this TOS fingerprint. The type of service fingerprint is shown as a hexadecimal value.
IPLEN = The fingerprint displays the IP datagram total length (IPLEN) in bytes from the response packet's IP header, referenced as a hexadecimal value.
RIPTL = The IP datagram total length (in hex) repeated back (RIPTL) to the nmap station is listed as this attribute. This is the IP datagram total length from the echoed IP header, not the bytes in the "real" IP header of the frame. The value of the "real" IP header is referenced in the IPLEN attribute.
RID = If the IP identification bytes in the reply (RID) are identical to the original frame, the fingerprint contains an E. If the echoed IPID doesn't match the original, the RID fingerprint attribute contains an F.
RIPCK = This fingerprint attribute is the comparison of the returned IP checksum (RIPCK) in the echoed packet with the checksum in the original packet. An E signifies a match, while an F signifies that the two checksums are different.
UCK = The UDP checksum (UCK) fingerprint attribute compares the UDP checksum in the original frame with the echoed data in the response frame. An E signifies a match, while an F signifies that the two checksums are different.
ULEN = The UDP length (ULEN) in the response frame echo should match the value from the original frame. Nmap sends 0x134 bytes in the original frame, and the fingerprint displays the value in hex that should appear in the response frame echo.
DAT = If the data (DAT) in the returned packet matches that of the original frame, this fingerprint assigns an E to this attribute. If the data is not identical, an F is assigned.