- Nmap Network Scanning
- Chapter 8. Remote OS Detection
- IPv6 fingerprinting
IPv6 fingerprinting
Nmap has a similar but separate OS detection engine specialized forIPv6. At a high level, the technique is the same: send probes, collectresponses, and match the set of responses against a database. Thedifferences are in the specific probes used, and in the way they arematched.
IPv6 OS detection is used just like IPv4. Just use the-6 and-O options together. Forexample,nmap -6 -O<target>.
Probes Sent
IPv6 OS detection uses many of the same probes that IPv4 OS detectiondoes. Most of the power to distinguish operating systems comes fromhigher-layer protocols like TCP, though there are a few newIPv6-specific detection features.
In all cases, the IPv6 flow label is 0x12345, on platforms that allow usto set it. On platforms that do not (which includes non-Linux Unixplatforms when not using Ethernet to send), the flow label will be 0.Because this can affect the responses, the value of the flow label isrecorded in theEXTRA field of OS fingerprints.Except for theNS probe, hop limits are set randomly.
In all, up to 18 probes may be sent. They are sent in the following order.
Sequence generation (S1–S6)
These are the same six probes as theT1 collection ofprobes sent in IPv4 detection. Seethe section called “Sequence generation (SEQ,OPS,WIN, andT1)”for documentation of the packet contents. These six probes are sent100 ms apart for timing measurements.
TheS1–S6 probes are skippedif the target lacks an open port.
ICMPv6 echo (IE1)
This is more or less an ordinary ICMPv6 echo request. The type is 128(Echo Request) and the code is 9, though it should be 0. The ICMPv6 IDis 0xabcd and the sequence number is 0. The data payload is 120 zerobytes. There is one Hop-By-Hop extension header containing only padding.
ICMPv6 echo (IE2)
This is an echo request with a type of 128 (Echo Request) and a code of0. The ICMPv6 ID is 0xabcd and the sequence is 1. There is no datapayload.
What makes this probe interesting are the erroneous extension headers itincludes. There are four of them in all, in this order:
| Hop-By-Hop |
| Destination Options |
| Routing |
| Hop-By-Hop |
These headers are erroneous: no header other than Destination Options issupposed to appear more than once, and Hop-by-hop options are onlysupposed to appear in the first position. In our tests, no operatingsystems treat this as a legitimate echo request. They do, however,respond with different ICMPv6 errors.
Node Information Query (NI)
RFC 4620 defines ICMPv6 messages called Node Information Queries thatallow asking a target for its hostnames, IPv4 addresses, and IPv6addresses. TheNI probe has type 139 (ICMP NodeInformation Query) and code 0 (indicating that the subject is an IPv6address). The qtype is 4 (IPv4 Addresses). The A flag (return allunicast addresses) flag is set, and no others. The nonce is set to thefixed string "\x01\x02\x03\x04\x05\x06\x07\x0a".
Despite being asked for IPv4 addresses, some operating systems return aDNS name instead.
Neighbor Solicitation (NS)
TheNS probe sends a Neighbor Solicitation query, asif asking for the target's hardware address. The type is 135 and thecode is 0. The hop limit is always set to 255, no matter the setting of--ttl; RFC 2461 forbids hosts to reply otherwise. Allflags are set to 0.
This probe is only sent to hosts on the same subnet.
UDP (U1)
A UDP packet is sent to a a closed port, if available. The data payloadis set to 300 'C' (0x43) bytes. This probe is designed to elicit anICMPv6 Port Unreachable message.
TCP explicit congestion notification (TECN)
This is the same as theECN probe from IPv4. It is aSYN packet to an open port, that also has the ECE and CWR flags set. Theurgent field value of 0xF7F5 is used even though the urgent flag is notset. The acknowledgment number is zero, sequence number is random, andthe window size field is three. TCP options are WScale (10), NOP, MSS(1460), SACK permitted, NOP, NOP.
TCP (T2–T7)
These correspond to theT2–T7 probes from IPv4detection, described inthe section called “TCP (T2–T7)”. Thenumbering starts at 2 rather than 1 because the six sequencing probesare collectively known as“T1” in IPv4(they were renamed toS1–S6for IPv6).
Feature extraction
After responses are received, various pieces of data are extracted fromthem. In machine learning literature these pieces of data are known as“features”. Examples of features are: IPv6 hop limit,ICMPv6 type and code, and code of first TCP option. (In Nmap'sterminology, these are known asIPV6_HOPLIMIT,ICMPV6_TYPE, andTCP_OPT_0respectively.) Some features are simply extracted directly from responsepackets, and some are the result of doing a calculation over severalpackets (likeTCP_ISR, the TCP initial sequencenumber counter rate).
Any features whose value cannot be determined (for example, featuresfrom a response that was never received) are set to −1. Thefeatures are put in a big one-dimensional feature vector. Then each isscaled and translated to put it approximately into the range [0, 1],using scale parameters estimated from our training data.
List of all features
TCP_ISRTCP ISN counter rate. This is derived from the
S1–S6sequence probes, whichare sent 100 ms apart. The differences between consecutive sequenceresponses are added up, then this sum is divided by the time elapsedbetween the first and last probe.
The following features are repeated for each response, so for example afully qualified feature name might beS1.PLEN.
PLENIPv6 Payload Length field
TCIPv6 Traffic Class field
HLIMA guess at the original value of the IPv6 Hop Limit field
The following features are repeated for each TCP response. A fullfeature name might beT2.TCP_WINDOW.
TCP_WINDOWTCP window size
TCP_FLAG_F,TCP_FLAG_S,TCP_FLAG_R,TCP_FLAG_P,TCP_FLAG_A,TCP_FLAG_U,TCP_FLAG_E,TCP_FLAG_CTCP flags. Each flag becomes a feature with the value 0or 1.
TCP_FLAG_RES8,TCP_FLAG_RES9,TCP_FLAG_RES10,TCP_FLAG_RES11These are the four bits of the reserved part of the TCPheader. RFC 3540 defines
TCP_FLAG_RES8as the noncesum (NS) bit.TCP_OPT_0,<...>,TCP_OPT_16Type codes for the first 16 TCP options.
TCP_OPTLEN_0,<...>,TCP_OPTLEN_16Lengths of the first 16 TCP options.
TCP_MSSValue of the first MSS option, if present.
TCP_SACKOK1 if the SACK-permitted option is present, 0otherwise.
TCP_WSCALEValue of the first Window Scale option, ifpresent.
Differences from IPv4
IPv6 fingerprints look somewhat different from IPv4 fingerprints.Instead of a broken-down list of packet features, they consist of a hexdump of packet contents along with send and receive times. Seethe section called “Understanding an Nmap Fingerprint” for details.
The IPv6 matching algorithm is quite different. It uses a machinelearning algorithm called logistic regression rather than simplecomparison against a list of fingerprints.the section called “IPv6 matching” has a description of thealgorithm.