Nmap/IPv4 OS Integration

From SecWiki
Jump to: navigation, search 
cd
svn checkout https://svn.nmap.org/nmap-private-dev/fp
svn checkout https://svn.nmap.org/nmap

The OS integration tools are in the /nmap-private-dev/fp directory. The programs in fp link against object files in nmap, so compile nmap first. You need (at least) libssl-dev, libncurses-dev, and libx11-dev. 

cd nmap
./configure && make
cd ~/fp
make

The fp makefile explicitly lists all the object files linked by nmap in the NMAP_OBJS variable. Sometimes it gets out of sync and you have to update it.

OS submissions come in a big mbox file with one submission per message. Use Mutt, the mail reader, to process the file. Add these lines to ~/.muttrc: 

macro pager "p" "<pipe-message>/home/user/fp/OSassist<enter>"
macro index "p" "<pipe-message>/home/user/fp/OSassist<enter>"

You also have to make some symlinks to database files: 

ln -s ../nmap/nmap-os-db
ln -s ../nmap/nmap-mac-prefixes

Run Mutt like so: 

 mutt -f nmapsubmit-osfp-date

You can use the "read" flag on messages to keep track of which ones you've done already. You want to start with everything unread:

  • l ~R to see read messages.
  • N to mark them as new.

If you want to look at entries in the mbox without marking them unread, you can use the -R</option> to Mutt to open the file in read-only mode, or use <code>N after looking at the message.

Press p on a message to open it with OSassist. The top of the screen shows the top 10 matches in nmap-os-db. The middle shows the observed fingerprint. The bottom shows either the diff of the reference against the observed (default), the reference itself (after d has been pressed), or the result of merging the reference with the observed (after m has been pressed).

Keys in OSassist are:

  • j, k: down, up
  • q: quit
  • d: toggle diff view
  • m: toggle merge view
  • r, p: reinitialize (after making manual edits to nmap-os-db)
  • c: copy the bottom section to the X clipboard (for merged fingerprints)
  • f: copy the middle section to the X clipboard (for new fingerprints)
  • w: toggle warnings

OSassist shows the top 10 matches. Go through the first few and decide how to dispose of the new observed fingerprint:

  • Ignore it.
  • Merge it into an existing reference fingerprint.
  • Create a new reference fingerprint.

You ignore a submission when it is of low quality or is missing necessary information. Merge it if it is close to something existing. Otherwise, create a new reference fingerprint.

Many changes can be made with a text editor on nmap-os-db. After changing the file, hit r in OSassist to reload.

Changes to the description of a fingerprint should usually come with a new comment line.

Retrieved from "https://secwiki.org/mediawiki/index.php?title=Nmap/IPv4_OS_Integration&oldid=1590"