This is the nineteenth post detailing my notes on Nmap Network Scanning.
I’ve reached a section of the above Nmap book entitled: TCP/IP Fingerprinting Methods Supported by Nmap and it begins thus:
Nmap OS fingerprinting works by sending up to 16 TCP, UDP, and ICMP probes to known open and closed ports of the target machine. These probes are specially designed to exploit various ambiguities in the standard protocol RFCs. Then Nmap listens for responses. Dozens of attributes in those responses are analyzed and combined to generate a fingerprint. Every probe packet is tracked and resent at least once if there is no response. All of the packets are IPv4 with a random IP ID value. Probes to an open TCP port are skipped if no such port has been found. For closed TCP or UDP ports, Nmap will first check if such a port has been found. If not, Nmap will just pick a port at random and hope for the best.
The following sections are highly technical and reveal the hidden workings of Nmap OS detection. Nmap can be used effectively without understanding this, though the material can help you better understand remote networks and also detect and explain certain anomalies. Plus, some of the techniques are pretty cool. Readers in a hurry may skip to the section called “Dealing with Misidentified and Unidentified Hosts”. But for those of you who are ready for a journey through TCP explicit congestion notification, reserved UDP header bits, initial sequence numbers, bogus flags, and Christmas tree packets: read on!
I’m determined to read this section, but certainly won’t blog on it as in all honesty I don’t think I’ll understand very much.
But if you want to read this you can do so on the below links:
TCP/IP Fingerprinting Methods Supported by Nmap
Fingerprinting Methods Avoided by Nmap