pf.os revision 1.12
1169695Skan# $OpenBSD: pf.os,v 1.12 2004/01/11 08:12:33 mcbride Exp $ 2169695Skan# passive OS fingerprinting 3169695Skan# ------------------------- 4169695Skan# 5169695Skan# SYN signatures. Those signatures work for SYN packets only (duh!). 6169695Skan# 7169695Skan# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> 8169695Skan# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> 9169695Skan# 10169695Skan# Permission to use, copy, modify, and distribute this software for any 11169695Skan# purpose with or without fee is hereby granted, provided that the above 12169695Skan# copyright notice and this permission notice appear in all copies. 13169695Skan# 14169695Skan# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15169695Skan# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16169695Skan# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17169695Skan# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18169695Skan# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19169695Skan# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20169695Skan# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21169695Skan# 22169695Skan# 23169695Skan# This fingerprint database is adapted from Michal Zalewski's p0f passive 24169695Skan# operating system package. 25169695Skan# 26169695Skan# 27169695Skan# Each line in this file specifies a single fingerprint. Please read the 28169695Skan# information below carefully before attempting to append any signatures 29169695Skan# reported as UNKNOWN to this file to avoid mistakes. 30169695Skan# 31169695Skan# We use the following set metrics for fingerprinting: 32169695Skan# 33169695Skan# - Window size (WSS) - a highly OS dependent setting used for TCP/IP 34169695Skan# performance control (max. amount of data to be sent without ACK). 35169695Skan# Some systems use a fixed value for initial packets. On other 36169695Skan# systems, it is a multiple of MSS or MTU (MSS+40). In some rare 37169695Skan# cases, the value is just arbitrary. 38169695Skan# 39169695Skan# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number 40169695Skan# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' 41169695Skan# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the 42169695Skan# value of nn is not fixed (unlikely), just copy the Snn or Tnn token 43169695Skan# literally. If you know this device has a simple stack and a fixed 44169695Skan# MTU, you can however multiply S value by MSS, or T value by MSS+40, 45169695Skan# and put it instead of Snn or Tnn. 46169695Skan# 47169695Skan# If WSS otherwise looks like a fixed value (for example a multiple 48169695Skan# of two), or if you can confirm the value is fixed, please quote 49169695Skan# it literally. If there's no apparent pattern in WSS chosen, you 50169695Skan# should consider wildcarding this value. 51169695Skan# 52169695Skan# - Overall packet size - a function of all IP and TCP options and bugs. 53169695Skan# 54169695Skan# NEW SIGNATURE: Copy this value literally. 55169695Skan# 56169695Skan# - Initial TTL - We check the actual TTL of a received packet. It can't 57169695Skan# be higher than the initial TTL, and also shouldn't be dramatically 58169695Skan# lower (maximum distance is defined as 40 hops). 59169695Skan# 60169695Skan# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. 61169695Skan# You need to determine the initial TTL. The best way to do it is to 62169695Skan# check the documentation for a remote system, or check its settings. 63169695Skan# A fairly good method is to simply round the observed TTL up to 64169695Skan# 32, 64, 128, or 255, but it should be noted that some obscure devices 65169695Skan# might not use round TTLs (in particular, some shoddy appliances use 66169695Skan# "original" initial TTL settings). If not sure, you can see how many 67169695Skan# hops you're away from the remote party with traceroute or mtr. 68169695Skan# 69169695Skan# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU 70169695Skan# discovery. Others do not bother. 71169695Skan# 72169695Skan# NEW SIGNATURE: Copy this value literally. 73169695Skan# 74169695Skan# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f 75169695Skan# uses it to determine link type of the remote host. 76169695Skan# 77169695Skan# NEW SIGNATURE: Always wildcard this value, except for rare cases when 78169695Skan# you have an appliance with a fixed value, know the system supports only 79169695Skan# a very limited number of network interface types, or know the system 80169695Skan# is using a value it pulled out of nowhere. Specific unique MSS 81169695Skan# can be used to tell Google crawlbots from the rest of the population. 82169695Skan# 83169695Skan# - Window scaling (WSCALE) - this feature is used to scale WSS. 84169695Skan# It extends the size of a TCP/IP window to 32 bits. Some modern 85169695Skan# systems implement this feature. 86169695Skan# 87169695Skan# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set 88169695Skan# to zero or other low value. There's usually no need to wildcard this 89169695Skan# parameter. 90169695Skan# 91169695Skan# - Timestamp - some systems that implement timestamps set them to 92169695Skan# zero in the initial SYN. This case is detected and handled appropriately. 93169695Skan# 94169695Skan# - Selective ACK permitted - a flag set by systems that implement 95169695Skan# selective ACK functionality. 96169695Skan# 97169695Skan# - The sequence of TCP all options (MSS, window scaling, selective ACK 98169695Skan# permitted, timestamp, NOP). Other than the options previously 99169695Skan# discussed, p0f also checks for timestamp option (a silly 100169695Skan# extension to broadcast your uptime ;-), NOP options (used for 101169695Skan# header padding) and sackOK option (selective ACK feature). 102169695Skan# 103169695Skan# NEW SIGNATURE: Copy the sequence literally. 104169695Skan# 105169695Skan# To wildcard any value (except for initial TTL or TCP options), replace 106169695Skan# it with '*'. You can also use a modulo operator to match any values 107169695Skan# that divide by nnn - '%nnn'. 108169695Skan# 109169695Skan# Fingerprint entry format: 110169695Skan# 111169695Skan# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details 112169695Skan# 113169695Skan# wwww - window size (can be *, %nnn, Snn or Tnn). The special values 114169695Skan# "S" and "T" which are a multiple of MSS or a multiple of MTU 115169695Skan# respectively. 116169695Skan# ttt - initial TTL 117169695Skan# D - don't fragment bit (0 - not set, 1 - set) 118169695Skan# ss - overall SYN packet size 119169695Skan# OOO - option value and order specification (see below) 120169695Skan# OS - OS genre (Linux, Solaris, Windows) 121169695Skan# Version - OS Version (2.0.27 on x86, etc) 122169695Skan# Subtype - OS subtype or patchlevel (SP3, lo0) 123169695Skan# details - Generic OS details 124169695Skan# 125169695Skan# If OS genre starts with '*', p0f will not show distance, link type 126169695Skan# and timestamp data. It is useful for userland TCP/IP stacks of 127169695Skan# network scanners and so on, where many settings are randomized or 128169695Skan# bogus. 129169695Skan# 130169695Skan# If OS genre starts with @, it denotes an approximate hit for a group 131169695Skan# of operating systems (signature reporting still enabled in this case). 132169695Skan# Use this feature at the end of this file to catch cases for which 133169695Skan# you don't have a precise match, but can tell it's Windows or FreeBSD 134169695Skan# or whatnot by looking at, say, flag layout alone. 135169695Skan# 136169695Skan# Option block description is a list of comma or space separated 137169695Skan# options in the order they appear in the packet: 138169695Skan# 139169695Skan# N - NOP option 140169695Skan# Wnnn - window scaling option, value nnn (or * or %nnn) 141169695Skan# Mnnn - maximum segment size option, value nnn (or * or %nnn) 142169695Skan# S - selective ACK OK 143169695Skan# T - timestamp 144169695Skan# T0 - timestamp with a zero value 145169695Skan# 146169695Skan# To denote no TCP options, use a single '.'. 147169695Skan# 148169695Skan# Please report any additions to this file, or any inaccuracies or 149169695Skan# problems spotted, to the maintainers: lcamtuf@coredump.cx, 150169695Skan# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet 151169695Skan# capture of the relevant SYN packet(s) 152169695Skan# 153169695Skan# A test and submission page is available at 154169695Skan# http://lcamtuf.coredump.cx/p0f-help/ 155169695Skan# 156169695Skan# 157169695Skan# WARNING WARNING WARNING 158169695Skan# ----------------------- 159169695Skan# 160169695Skan# Do not add a system X as OS Y just because NMAP says so. It is often 161169695Skan# the case that X is a NAT firewall. While nmap is talking to the 162169695Skan# device itself, p0f is fingerprinting the guy behind the firewall 163169695Skan# instead. 164169695Skan# 165169695Skan# When in doubt, use common sense, don't add something that looks like 166169695Skan# a completely different system as Linux or FreeBSD or LinkSys router. 167169695Skan# Check DNS name, establish a connection to the remote host and look 168169695Skan# at SYN+ACK - does it look similar? 169169695Skan# 170169695Skan# Some users tweak their TCP/IP settings - enable or disable RFC1323 171169695Skan# functionality, enable or disable timestamps or selective ACK, 172169695Skan# disable PMTU discovery, change MTU and so on. Always compare a new rule 173169695Skan# to other fingerprints for this system, and verify the system isn't 174169695Skan# "customized" before adding it. It is OK to add signature variants 175169695Skan# caused by a commonly used software (personal firewalls, security 176169695Skan# packages, etc), but it makes no sense to try to add every single 177169695Skan# possible /proc/sys/net/ipv4 tweak on Linux or so. 178169695Skan# 179169695Skan# KEEP IN MIND: Some packet firewalls configured to normalize outgoing 180169695Skan# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, 181169695Skan# normalize packets. Signatures will not correspond to the originating 182169695Skan# system (and probably not quite to the firewall either). 183169695Skan# 184169695Skan# NOTE: Try to keep this file in some reasonable order, from most to 185169695Skan# least likely systems. This will speed up operation. Also keep most 186169695Skan# generic and broad rules near the end. 187169695Skan# 188169695Skan 189169695Skan########################## 190169695Skan# Standard OS signatures # 191169695Skan########################## 192169695Skan 193169695Skan# ----------------- AIX --------------------- 194169695Skan 195169695Skan# AIX is first because its signatures are close to NetBSD, MacOS X and 196169695Skan# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... 197169695Skan# This is a shoddy hack, though. 198169695Skan 199169695Skan16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier 200169695Skan 201169695Skan16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 202169695Skan16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 203169695Skan32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 204169695Skan32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 205169695Skan65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 206169695Skan65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 207169695Skan65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1 208169695Skan 209169695Skan# ----------------- Linux ------------------- 210169695Skan 211169695Skan512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x 212169695Skan16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x 213169695Skan 214169695Skan# Endian snafu! Nelson says "ha-ha": 215169695Skan2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac 216169695Skan64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac 217169695Skan 218169695Skan 219169695SkanS4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) 220169695Skan 221169695SkanS2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) 222169695SkanS3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer 223169695SkanS4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 224169695SkanS4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6 225169695Skan 226169695SkanS3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 227169695SkanS4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 228169695Skan 229169695SkanS20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer 230169695SkanS22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 231169695SkanS11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 232169695Skan 233169695Skan# Popular cluster config scripts disable timestamps and 234169695Skan# selective ACK: 235169695SkanS4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster 236169695Skan 237169695Skan# This needs to be investigated. On some systems, WSS 238169695Skan# is selected as a multiple of MTU instead of MSS. I got 239169695Skan# many submissions for this for many late versions of 2.4: 240169695SkanT4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon) 241169695Skan 242169695Skan# This happens only over loopback, but let's make folks happy: 243169695Skan32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local) 244169695SkanS8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local) 245169695Skan 246169695Skan# Opera visitors: 247169695Skan16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?) 248169695Skan32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?) 249169695Skan 250169695Skan# Some fairly common mods: 251169695SkanS4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps 252169695SkanS22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps 253169695Skan 254169695Skan 255169695Skan# ----------------- FreeBSD ----------------- 256169695Skan 257169695Skan16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1 258169695Skan16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1 259169695Skan16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1 260169695Skan16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 261169695Skan 262169695Skan1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 263169695Skan 264169695Skan57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) 265169695Skan57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8 266169695Skan 267169695Skan32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) 268169695Skan32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) 269169695Skan65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) 270169695Skan65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) 271169695Skan65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1 272169695Skan65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1 273169695Skan 274169695Skan# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) 275169695Skan 276169695Skan# ----------------- NetBSD ------------------ 277169695Skan 278169695Skan65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) 279169695Skan16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 280169695Skan16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) 281169695Skan16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 282169695Skan65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) 283169695Skan 284169695Skan# ----------------- OpenBSD ----------------- 285169695Skan 286169695Skan16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) 287169695Skan16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4 288169695Skan16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df) 289169695Skan57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4 290169695Skan57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df) 291169695Skan 292169695Skan65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:opera:OpenBSD 3.0-3.4 (Opera) 293169695Skan 294169695Skan# ----------------- Solaris ----------------- 295169695Skan 296169695SkanS17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 297169695SkanS17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8 298169695SkanS17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7 299169695Skan 300169695SkanS6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7 301169695SkanS23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1 302169695SkanS34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 303169695SkanS44:255:1:44:M*: Solaris:2.7::Solaris 7 304169695Skan 305169695Skan# ----------------- IRIX -------------------- 306169695Skan 307169695Skan49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 308169695Skan61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5 309169695Skan49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) 310169695Skan49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) 311169695Skan 312169695Skan61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 313169695Skan49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 314169695Skan 315169695Skan# ----------------- Tru64 ------------------- 316169695Skan 317169695Skan32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 318169695Skan32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 319169695Skan8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) 320169695Skan 321169695Skan# This looks awfully Linuxish :/ 322169695Skan# S22:64:0:60:M*,S,T,N,W0: Tru64:5.0:a:Tru64 5.0a 323169695Skan 324169695Skan61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) 325169695Skan 326169695Skan 327169695Skan# ----------------- OpenVMS ----------------- 328169695Skan 329169695Skan6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) 330169695Skan 331169695Skan# ----------------- MacOS ------------------- 332169695Skan 333169695Skan16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) 334169695Skan16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) 335169695Skan32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2 336169695Skan32768:64:0:60:M*,N,W0,N,N,T: MacOS:X:10.2:MacOS X 10.2 337169695Skan 338169695Skan# ----------------- Windows ----------------- 339169695Skan 340169695Skan# Windows 95 - need more: 341169695Skan 342169695Skan8192:32:1:44:M*: Windows:95::Windows 95 (low TTL) 343169695Skan 344169695Skan# Windows 98 - plenty of silly signatures: 345169695SkanS44:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) 346169695Skan8192:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) 347169695Skan 348169695Skan%8192:64:1:48:M*,N,N,S: Windows:98::Windows 98 (or newer XP/2000 with tweaked TTL) 349169695SkanS4:64:1:48:M*,N,N,S: Windows:98::Windows 98 350169695SkanS6:64:1:48:M*,N,N,S: Windows:98::Windows 98 351169695SkanS12:64:1:48:M*,N,N,S: Windows:98::Windows 98 352169695Skan32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 353169695Skan37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 354169695Skan46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) 355169695Skan65535:64:1:44:M*: Windows:98:noSACK:Windows 98 (no sack) 356169695Skan 357169695SkanS16:128:1:48:M*,N,N,S: Windows:98::Windows 98 358169695SkanS16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 359169695SkanS26:128:1:48:M*,N,N,S: Windows:98::Windows 98 360169695SkanT30:128:1:48:M*,N,N,S: Windows:98::Windows 98 361169695Skan32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98 362169695Skan60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 363169695Skan60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 364169695Skan 365169695Skan# Windows NT 4.0 - need more: 366169695Skan 367169695Skan64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a 368169695Skan8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) 369169695Skan6144:128:1:52:M*,W0,N,S,N,N: Windows:NT:4.0:Windows NT 4.0 (RFC1323) 370169695Skan 371169695Skan# Windows XP and 2000. Most of the signatures that were 372169695Skan# either dubious or non-specific (no service pack data) 373169695Skan# were deleted and replaced with generics at the end. 374169695Skan 375169695Skan65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 376169695Skan%8192:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 377169695SkanS45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 378169695SkanS6:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows XP SP1, 2000 SP4 379169695SkanS44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP Pro SP1, 2000 SP3 380169695Skan 381169695SkanS6:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1, 2000 SP4 382169695SkanS44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP Pro SP1, 2000 SP3 383169695Skan64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 384169695Skan32767:128:1:48:M1452,N,N,S: Windows:XP:SP1:Windows XP SP1 385169695Skan65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 386169695Skan%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 387169695Skan 388169695Skan# Odds, ends, mods: 389169695Skan 390169695SkanS52:128:1:48:M1260,N,N,S: Windows:XP:Cisco:Windows XP/2000 via Cisco 391169695SkanS52:128:1:48:M1260,N,N,S: Windows:2000:Cisco:Windows XP/2000 via Cisco 392169695Skan 393169695Skan# HUNT DOWN: 394169695Skan# *:128:1:48:M*,N,N,S:U:@Windows:XP (leak) (PLEASE REPORT) 395169695Skan 396169695Skan# ----------------- HP/UX ------------------- 397169695Skan 398169695Skan32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20 399169695Skan32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0 400169695Skan32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11 401169695Skan32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11 402169695Skan 403169695Skan# Whoa. Hardcore WSS. 404169695Skan0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) 405169695Skan 406169695Skan 407169695Skan# ----------------- RiscOS ------------------ 408169695Skan 409169695Skan# We don't yet support the ?12 TCP option 410169695Skan#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 411169695Skan 412169695Skan# ----------------- BSD/OS ------------------ 413169695Skan 414169695Skan# Once again, power of two WSS is also shared by MacOS X with DF set 415169695Skan8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF) 416169695Skan8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2) 417169695Skan 418169695Skan 419169695Skan# ---------------- NewtonOS ----------------- 420169695Skan 421169695Skan4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 422169695Skan 423169695Skan# ---------------- NeXTSTEP ----------------- 424169695Skan 425169695SkanS8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 426 427# ------------------ BeOS ------------------- 428 4291024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1 43012288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x 431 432# ------------------ OS/400 ----------------- 433 4348192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5 4358192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 4364096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 437 438 439# ------------------ ULTRIX ----------------- 440 44116384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5 442 443# ------------------- QNX ------------------- 444 445S16:64:0:44:M512: QNX:::QNX demodisk 446 447# ------------------ Novell ----------------- 448 44916384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 4506144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 451 452# ----------------- SCO ------------------ 453S17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 454S17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 455S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1 456 457# ------------------- DOS ------------------- 458 4592048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 460 461########################################### 462# Appliance / embedded / other signatures # 463########################################### 464 465# ---------- Firewalls / routers ------------ 466 467S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) 468S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) 4694096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x 47060352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x 471 472# ------- Switches and other stuff ---------- 473 4744128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc 475S8:255:0:44:M*: Cisco:12008::Cisco 12008 47660352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch 47764512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client 478 479 480# ---------- Caches and whatnots ------------ 481 482S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache 483 48432850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x 48516384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 48665535:64:0:64:M1460,N,N,S,N,W3,N,N,T: NetApp:5.3:1:NetApp 5.3.1 48765535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow 4888192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 489 490S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine 491 49227085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based) 493 49465535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler 495S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg 496 497 49816384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) 499 500# ----------- Embedded systems -------------- 501 502S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C 503S5:255:0:44:M536: PalmOS:3::PalmOS 3/4 504S5:255:0:44:M536: PalmOS:4::PalmOS 3/4 505S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 5062948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) 507 508S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 5098192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?) 5108192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?) 511 512 513# Perhaps S4? 5145840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10 515 51632768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002 517 518S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 519 5204096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 521 522S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 523 524 525 526#################### 527# Fancy signatures # 528#################### 529 5301024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1) 5312048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2) 5323072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) 5334096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) 534 5351024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) 5362048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) 5373072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) 5384096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) 539 540##################################### 541# Generic signatures - just in case # 542##################################### 543 544#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x 545#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x 546 547*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) 548*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) 549*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) 550*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) 551*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) 552*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 553*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 554 555 556