SinFP vs Nmap
About a month ago I posted a Daily Link List... In this list I mentioned that a new version of SinFP was avialble and that I had not been overly impressed with previous versions of the product. Shortly after, a comment was posted by Gomor (The author of SinFP) asking me to perform further testing with the new version and give it a try. I decided it was about time to give it a go. So last weekend, I downloaded the package on my Mac (PPC architecture) and started the install... About halfway through I received an error message that Big Endian systems were not supported and the install died. I decided to try again with a PC (Ubuntu 6.10). The install sailed through and I decided to give it a try.
I first tried as my regular user and received an error message:
user@host:/usr/local/sinfp/bin$ ./sinfp.pl -i 192.168.X.X
Must be EUID 0 to open a device for writing at /usr/local/sinfp/bin/../lib/Net/Packet/DescL3.pm line 86
Ok, so you have to be root.. nmap also requires root permissions to perform a -O (OS Detection) scan.
su - to root and try again... this time the results were slightly better. The scan completed with the follow results:
P1: B11113 F0x12 W65535 O0204ffff M1260
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1260
P3: B11021 F0x04 W0 O0 M0
IPv4: unknown*** File [sinfp4-127.0.0.1.anon.pcap] generation done.
*** Please send it to
if you think this is not
*** the good identification, or if it is a new signature.
*** In this last case, please specify `uname -a' (or equivalent)
*** from the target host.
Let's try the same scan on nmap (ver. 4.03) (only OS information displayed):
OS details: Microsoft Windows 2003 Server or XP SP2
Now the machine is Windows XP SP2... However, Gomor suggested that I try the -H option... so I we'll do that next. With -H the results are slightly better... nmap narrowed it down to 2K3 or XP with SP2... SinFP returned these results:
P1: B11113 F0x12 W65535 O0204ffff M1260
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1260
P3: B11021 F0x04 W0 O0 M0
IPv4: BH0FH0WH1OH0MH2/P1P2P3: Windows: Windows: 2000
IPv4: BH0FH0WH1OH0MH2/P1P2P3: Windows: Windows: XP*** File [sinfp4-127.0.0.1.anon.pcap] generation done.
*** Please send it to
if you think this is not
*** the good identification, or if it is a new signature.
*** In this last case, please specify `uname -a' (or equivalent)
*** from the target host.
These results are nearly as specific or as accurate as nmap's results. Now this is a single host... I figure I'll give a few others a try. I decided to try my laptop (Ubuntu 6.10).
First attempt:
*** Cannot fingerprint a closed or filtered port
Oh yeah, I have to target a port (port 80 is the default open port, however you can specify another port using the -p flag). To simplify things, I'll use port 80 and simply turn on Apache.
* Starting apache 2.0 web server... [Mon Dec 04 19:21:07 2006] [warn] module proxy_http_module is already loaded, skipping
[ ok ]
Let's also verify that it actually did start.
GET / HTTP/1.0HTTP/1.1 200 OK
Date: Tue, 05 Dec 2006 00:21:32 GMT
Server: Apache/2.0.55 (Ubuntu) mod_python/3.2.8 Python/2.4.4c1 PHP/4.4.2-1.1 proxy_html/2.4 mod_perl/2.0.2 Perl/v5.8.8
Last-Modified: Thu, 20 Jul 2006 22:31:14 GMT
ETag: "5c80f8-12b-f003f080"
Accept-Ranges: bytes
Content-Length: 299
Connection: close
Content-Type: text/html; charset=UTF-8
So let's try SinFP again:
*** Cannot fingerprint a closed or filtered port
It still can't find it... I'm going to say that maybe you can't scan the host you're on, however if Gomor is reading this, I'd love his thoughts on why this didn't work. (I also used ports 445 and 111, however I didn't read the documentation, so maybe it states you can't scan localhost)... Moving on, let's test a few more hosts.
Here's another XP SP2 (Fresh Install) only port 3389 open... Let's look at the results :
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on (192.168.X.X):
(The 1673 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
3389/tcp open ms-term-serv
MAC Address: 00:0C:F1:DF:FD:F5 (Intel)
Device type: general purpose
Running: IBM AIX 4.X, Microsoft Windows 2003/.NET|NT/2K/XP
OS details: IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, Microsoft Windows 2003 Server or XP SP2, Microsoft Windows XP SP2
root@host:/usr/local/sinfp/bin# ./sinfp.pl -i 192.168.X.X -p 3389
P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: XP
*** File [sinfp4-127.0.0.1.anon.pcap] generation done.
*** Please send it to sinfp@gomor.org if you think this is not
*** the good identification, or if it is a new signature.
*** In this last case, please specify `uname -a' (or equivalent)
*** from the target host.
I'm still waiting to see it correctly and easily identify a Windows XP machine, so I've decided to continue my testing...
The output from three additional XP SP2 machines:
P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: XP
P1: B11113 F0x12 W65535 O0204ffff M1260
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1260
P3: B11021 F0x04 W0 O0 M0
IPv4: unknown
P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: 2000
IPv4: HEURISTIC0/P1P2P3: Windows: Windows: XP
I'm not overly impressed that it's yet to correctly identify a single XP Host, it can't seem to distinguish between XP and 2000 and it doesn't identify service pack levels. I'm going to move on to FreeBSD.
First Host ( FreeBSD 4.8 ) :
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 4.10
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 4.11
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 4.7
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 4.9
Running: FreeBSD 4.X
OS details: FreeBSD 4.6.2-RELEASE - 4.8-RELEASE
Second Host ( FreeBSD 5.3 ) :
Running: FreeBSD 5.X
OS details: FreeBSD 5.3-STABLE
IPv4: BH0FH0WH0OH1MH0/P1P2P3: BSD: FreeBSD: 5.3
IPv4: BH0FH0WH0OH1MH0/P1P2P3: BSD: FreeBSD: 5.4
IPv4: BH0FH0WH0OH1MH0/P1P2P3: BSD: FreeBSD: 5.5
IPv4: BH0FH0WH0OH1MH0/P1P2P3: BSD: FreeBSD: 6.0
IPv4: BH0FH0WH0OH1MH0/P1P2P3: BSD: FreeBSD: 6.1
IPv4: BH0FH0WH0OH1MH0/P1P2P3: BSD: FreeBSD: 7.0
Third Host ( FreeBSD 5.4 ) :
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 5.4
IPv4: HEURISTIC0/P1P2P3: BSD: FreeBSD: 5.5root@host:/usr/local/sinfp/bin# nmap -O 192.168.X.X
No exact OS matches for host (If you know what OS is running on it, see http://w ww.insecure.org/cgi-bin/nmap-submit.cgi).
While SinFP was never completely accurate, it did out perform nmap on one of the hosts.
Now for some random hosts (No output data, just OS results)
SinFP: IPv4: HEURISTIC0/P1P2: Stack: 4.3BSD: unknown
nmap: UnknownSunOS 5.6
SinFP: Unknown
nmap: UnknownFedora Core 3 ( 2.6.9-1.667 )
SinFP: IPv4: BH0FH0WH0OH0MH1/P1P2: GNU/Linux: Linux: 2.6.x
nmap: Unknown
AIX 4.3
SinFP: Unknown
nmap: Unknown
The results are interesting overall... While nmap is able to give more accurate OS breakdowns (Service pack level and actual OS) it seems that SinFP is accurate almost as often... and occasionally actually out performs nmap. Over all, I'm not impressed simple because of the inability to accurately detect Windows Operating systems... but it is definitely better than it was when I originally tested the 1.x family.
Peace,
HT
Hi, thank you for comparing SinFP versus Nmap. Here follows my comments:
Concerning Windows detection. In your first tests, SinFP outputed 2000 or XP for a XP SP2 host. Nmap also outputed 2003, so SinFP is more accurate.
Concerning your Apache, are you sure it listens on all interfaces, and not only on localhost address ?
Concerning your second Windows test (against a fresh XP SP2 install), SinFP outputed 2000 or XP, and Nmap also says it may be an AIX 5.3. So SinFP is more accurate.
Concerning the distinction between 2000 and XP, yes, SinFP cannot do that. And Nmap neither. Because they have the same TCP/IP stack. And service packs does not change anything. It Nmap outputs does not match this statement, this is because of Nmap signatures, and how it matches them.
Finally, for random hosts, SunOS 4.1.4 is based on an old stack, taken from 4.3BSD sources, so SinFP is right. For AIX 4.3, have you tried with -H ? anyway, I am ready to accept the signature submition.
Best regards, GomoR.
GomoR, i don’t see how you can say that SinFP is more accurate in the windows detection. Both SinFP and nmap outputted two choices. SinFP said 2000 or XP, and nmap said XP SP2 or 2003.
I would consider nmap to be more accurate since it specifices that it is XP running SP2 or it is 2003.