nmap fingerprint

[Robert Millan]

On Wed, Mar 23, 2005 at 07:18:06PM +0100, Alexander Sack wrote:
> Robert Millan wrote:
> 
> >They don't say exactly that, but:
> >
> >"Netcraft determines the operating system of the queried host by looking in
> >detail at the network characteristics of the HTTP reply received from the web site."
> >
> >which sounds pretty ambigous.  Are you sure their detection is not based on tcp
> >fingerprinting?
>
> no, not sure ... anyway, I think that the tcp stack is not built for the
> sake of OS detection. Let's try to submit the info to the nmap and
> netcraft maintainer (I can do this) and see if it helps!

I did some tests, and it turns out that netcraft still identifies the system as
"FreeBSD" instead of "unknown" as I expected.

I'm speaking with the netcraft maintainers already.  It seems that their OS
detection system is somewhat more complex than nmap's, in that a single
difference in tcp fingerprints is not enough to make a system distinguishable.

The technical details are trade secret, so there isn't much we can do about it.

They also told me they take into account the server banner for their stats, so
I'm focusing on the apache2 bug that makes it print "Debian GNU/Linux" in the
banner (testing a patch currently).

> You know about a domain that runs GNU/kFreeBSD and is always up?

Robin runs one.  It's not always up, but netcraft keep records of their checks
so it doesn't really matter.

-- 
 .''`.   Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S)
: :' :
`. `'    http://www.debian.org/ports/kfreebsd-gnu
  `-