1157571Sjmg# $FreeBSD$ 2157571Sjmg# passive OS fingerprinting 3157571Sjmg# ------------------------- 4157571Sjmg# 5157571Sjmg# SYN signatures. Those signatures work for SYN packets only (duh!). 6157571Sjmg# 7157571Sjmg# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> 8157571Sjmg# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> 9157571Sjmg# 10157571Sjmg# Permission to use, copy, modify, and distribute this software for any 11157571Sjmg# purpose with or without fee is hereby granted, provided that the above 12157571Sjmg# copyright notice and this permission notice appear in all copies. 13157571Sjmg# 14157571Sjmg# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15157571Sjmg# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16157571Sjmg# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17157571Sjmg# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18157571Sjmg# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19157571Sjmg# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20157571Sjmg# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21157571Sjmg# 22157574Sjmg# 23157574Sjmg# This fingerprint database is adapted from Michal Zalewski's p0f passive 24157574Sjmg# operating system package. 25157571Sjmg# 26157574Sjmg# 27157571Sjmg# Each line in this file specifies a single fingerprint. Please read the 28157571Sjmg# information below carefully before attempting to append any signatures 29157571Sjmg# reported as UNKNOWN to this file to avoid mistakes. 30157571Sjmg# 31157571Sjmg# We use the following set metrics for fingerprinting: 32157571Sjmg# 33157574Sjmg# - Window size (WSS) - a highly OS dependent setting used for TCP/IP 34157574Sjmg# performance control (max. amount of data to be sent without ACK). 35157571Sjmg# Some systems use a fixed value for initial packets. On other 36157574Sjmg# systems, it is a multiple of MSS or MTU (MSS+40). In some rare 37157574Sjmg# cases, the value is just arbitrary. 38157574Sjmg# 39157571Sjmg# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number 40157571Sjmg# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' 41157571Sjmg# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the 42157571Sjmg# value of nn is not fixed (unlikely), just copy the Snn or Tnn token 43157571Sjmg# literally. If you know this device has a simple stack and a fixed 44157571Sjmg# MTU, you can however multiply S value by MSS, or T value by MSS+40, 45157571Sjmg# and put it instead of Snn or Tnn. 46157571Sjmg# 47157571Sjmg# If WSS otherwise looks like a fixed value (for example a multiple 48157571Sjmg# of two), or if you can confirm the value is fixed, please quote 49157571Sjmg# it literally. If there's no apparent pattern in WSS chosen, you 50157571Sjmg# should consider wildcarding this value. 51157571Sjmg# 52157571Sjmg# - Overall packet size - a function of all IP and TCP options and bugs. 53157571Sjmg# 54157571Sjmg# NEW SIGNATURE: Copy this value literally. 55157571Sjmg# 56157571Sjmg# - Initial TTL - We check the actual TTL of a received packet. It can't 57157574Sjmg# be higher than the initial TTL, and also shouldn't be dramatically 58157571Sjmg# lower (maximum distance is defined as 40 hops). 59157574Sjmg# 60157571Sjmg# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. 61157574Sjmg# You need to determine the initial TTL. The best way to do it is to 62157571Sjmg# check the documentation for a remote system, or check its settings. 63157571Sjmg# A fairly good method is to simply round the observed TTL up to 64157571Sjmg# 32, 64, 128, or 255, but it should be noted that some obscure devices 65157571Sjmg# might not use round TTLs (in particular, some shoddy appliances use 66157571Sjmg# "original" initial TTL settings). If not sure, you can see how many 67157571Sjmg# hops you're away from the remote party with traceroute or mtr. 68157571Sjmg# 69157574Sjmg# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU 70157574Sjmg# discovery. Others do not bother. 71157571Sjmg# 72157571Sjmg# NEW SIGNATURE: Copy this value literally. 73157571Sjmg# 74157571Sjmg# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f 75157571Sjmg# uses it to determine link type of the remote host. 76157571Sjmg# 77157571Sjmg# NEW SIGNATURE: Always wildcard this value, except for rare cases when 78157571Sjmg# you have an appliance with a fixed value, know the system supports only 79157571Sjmg# a very limited number of network interface types, or know the system 80157571Sjmg# is using a value it pulled out of nowhere. Specific unique MSS 81157571Sjmg# can be used to tell Google crawlbots from the rest of the population. 82157571Sjmg# 83157574Sjmg# - Window scaling (WSCALE) - this feature is used to scale WSS. 84157571Sjmg# It extends the size of a TCP/IP window to 32 bits. Some modern 85157571Sjmg# systems implement this feature. 86157571Sjmg# 87157571Sjmg# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set 88157571Sjmg# to zero or other low value. There's usually no need to wildcard this 89157571Sjmg# parameter. 90157571Sjmg# 91157571Sjmg# - Timestamp - some systems that implement timestamps set them to 92157571Sjmg# zero in the initial SYN. This case is detected and handled appropriately. 93157571Sjmg# 94157571Sjmg# - Selective ACK permitted - a flag set by systems that implement 95157571Sjmg# selective ACK functionality. 96157571Sjmg# 97157571Sjmg# - The sequence of TCP all options (MSS, window scaling, selective ACK 98157571Sjmg# permitted, timestamp, NOP). Other than the options previously 99157571Sjmg# discussed, p0f also checks for timestamp option (a silly 100157571Sjmg# extension to broadcast your uptime ;-), NOP options (used for 101157571Sjmg# header padding) and sackOK option (selective ACK feature). 102157571Sjmg# 103157571Sjmg# NEW SIGNATURE: Copy the sequence literally. 104157571Sjmg# 105157571Sjmg# To wildcard any value (except for initial TTL or TCP options), replace 106157571Sjmg# it with '*'. You can also use a modulo operator to match any values 107157571Sjmg# that divide by nnn - '%nnn'. 108157571Sjmg# 109157571Sjmg# Fingerprint entry format: 110157571Sjmg# 111157571Sjmg# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details 112157571Sjmg# 113157571Sjmg# wwww - window size (can be *, %nnn, Snn or Tnn). The special values 114157571Sjmg# "S" and "T" which are a multiple of MSS or a multiple of MTU 115157571Sjmg# respectively. 116157571Sjmg# ttt - initial TTL 117157571Sjmg# D - don't fragment bit (0 - not set, 1 - set) 118157571Sjmg# ss - overall SYN packet size 119157571Sjmg# OOO - option value and order specification (see below) 120157571Sjmg# OS - OS genre (Linux, Solaris, Windows) 121157571Sjmg# Version - OS Version (2.0.27 on x86, etc) 122157571Sjmg# Subtype - OS subtype or patchlevel (SP3, lo0) 123157571Sjmg# details - Generic OS details 124157571Sjmg# 125157571Sjmg# If OS genre starts with '*', p0f will not show distance, link type 126157571Sjmg# and timestamp data. It is useful for userland TCP/IP stacks of 127157571Sjmg# network scanners and so on, where many settings are randomized or 128157571Sjmg# bogus. 129157571Sjmg# 130157571Sjmg# If OS genre starts with @, it denotes an approximate hit for a group 131157571Sjmg# of operating systems (signature reporting still enabled in this case). 132157571Sjmg# Use this feature at the end of this file to catch cases for which 133157571Sjmg# you don't have a precise match, but can tell it's Windows or FreeBSD 134157571Sjmg# or whatnot by looking at, say, flag layout alone. 135157574Sjmg# 136157571Sjmg# Option block description is a list of comma or space separated 137157571Sjmg# options in the order they appear in the packet: 138157571Sjmg# 139157571Sjmg# N - NOP option 140157574Sjmg# Wnnn - window scaling option, value nnn (or * or %nnn) 141157571Sjmg# Mnnn - maximum segment size option, value nnn (or * or %nnn) 142157574Sjmg# S - selective ACK OK 143157571Sjmg# T - timestamp 144157571Sjmg# T0 - timestamp with a zero value 145157571Sjmg# 146157574Sjmg# To denote no TCP options, use a single '.'. 147157571Sjmg# 148157571Sjmg# Please report any additions to this file, or any inaccuracies or 149157571Sjmg# problems spotted, to the maintainers: lcamtuf@coredump.cx, 150157571Sjmg# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet 151157571Sjmg# capture of the relevant SYN packet(s) 152157571Sjmg# 153157571Sjmg# WARNING WARNING WARNING 154157571Sjmg# ----------------------- 155157571Sjmg# 156157571Sjmg# Do not add a system X as OS Y just because NMAP says so. It is often 157157571Sjmg# the case that X is a NAT firewall. While nmap is talking to the 158157571Sjmg# device itself, p0f is fingerprinting the guy behind the firewall 159157571Sjmg# instead. 160157571Sjmg# 161157571Sjmg# When in doubt, use common sense, don't add something that looks like 162157571Sjmg# a completely different system as Linux or FreeBSD or LinkSys router. 163157571Sjmg# Check DNS name, establish a connection to the remote host and look 164157571Sjmg# at SYN+ACK - does it look similar? 165157571Sjmg# 166157571Sjmg# Some users tweak their TCP/IP settings - enable or disable RFC1323 167157574Sjmg# functionality, enable or disable timestamps or selective ACK, 168157571Sjmg# disable PMTU discovery, change MTU and so on. Always compare a new rule 169157571Sjmg# to other fingerprints for this system, and verify the system isn't 170157571Sjmg# "customized" before adding it. It is OK to add signature variants 171157574Sjmg# caused by a commonly used software (personal firewalls, security 172157571Sjmg# packages, etc), but it makes no sense to try to add every single 173157571Sjmg# possible /proc/sys/net/ipv4 tweak on Linux or so. 174157571Sjmg# 175157571Sjmg# KEEP IN MIND: Some packet firewalls configured to normalize outgoing 176157571Sjmg# traffic (OpenBSD pf with "scrub" enabled, for example) will, well, 177157571Sjmg# normalize packets. Signatures will not correspond to the originating 178157571Sjmg# system (and probably not quite to the firewall either). 179157571Sjmg# 180157571Sjmg# NOTE: Try to keep this file in some reasonable order, from most to 181157571Sjmg# least likely systems. This will speed up operation. Also keep most 182157571Sjmg# generic and broad rules near the end. 183157571Sjmg# 184157571Sjmg 185157571Sjmg########################## 186157571Sjmg# Standard OS signatures # 187157571Sjmg########################## 188157571Sjmg 189157574Sjmg# ----------------- AIX --------------------- 190157571Sjmg 191157571Sjmg# AIX is first because its signatures are close to NetBSD, MacOS X and 192157571Sjmg# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... 193157571Sjmg# This is a shoddy hack, though. 194157571Sjmg 195157571Sjmg16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier 196157571Sjmg 197157571Sjmg16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 198157571Sjmg16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 199157571Sjmg32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 200157571Sjmg32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 201157574Sjmg65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2 202157571Sjmg65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2 203157571Sjmg65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1 204157571Sjmg 205157574Sjmg# ----------------- Linux ------------------- 206157571Sjmg 207157571Sjmg512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x 208157571Sjmg16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x 209157571Sjmg 210157571Sjmg# Endian snafu! Nelson says "ha-ha": 211157571Sjmg2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac 212157571Sjmg64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac 213157571Sjmg 214157571Sjmg 215157571SjmgS4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot) 216157571Sjmg 217157574SjmgS2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy) 218157571SjmgS3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer 219157571SjmgS4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 220157571SjmgS4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6 221157571Sjmg 222157571SjmgS3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 223157571SjmgS4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6 224157571Sjmg 225157574SjmgS20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer 226157571SjmgS22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 227157571SjmgS11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2 228157574Sjmg 229157571Sjmg# Popular cluster config scripts disable timestamps and 230157571Sjmg# selective ACK: 231157571SjmgS4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster 232157571Sjmg 233157574Sjmg# This needs to be investigated. On some systems, WSS 234157571Sjmg# is selected as a multiple of MTU instead of MSS. I got 235157574Sjmg# many submissions for this for many late versions of 2.4: 236157571SjmgT4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon) 237157571Sjmg 238157571Sjmg# This happens only over loopback, but let's make folks happy: 239157574Sjmg32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local) 240157571SjmgS8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local) 241157571Sjmg 242157571Sjmg# Opera visitors: 243157571Sjmg16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?) 244157574Sjmg32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?) 245157571Sjmg 246157571Sjmg# Some fairly common mods: 247157571SjmgS4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps 248157574SjmgS22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps 249157571Sjmg 250157574Sjmg 251157571Sjmg# ----------------- FreeBSD ----------------- 252157571Sjmg 253157571Sjmg16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1 254157571Sjmg16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1 255157574Sjmg16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1 256157571Sjmg16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 257157571Sjmg 258157571Sjmg1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4 259157571Sjmg 260157571Sjmg57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323) 261157571Sjmg57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8 262157571Sjmg 263157571Sjmg32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) 264157571Sjmg32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) 265157571Sjmg65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X) 266157571Sjmg65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X) 267157571Sjmg65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1 268157571Sjmg65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1 269157571Sjmg 270157571Sjmg# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps) 271157571Sjmg 272157571Sjmg# ----------------- NetBSD ------------------ 273157571Sjmg 274157571Sjmg65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera) 275157571Sjmg16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6 276157571Sjmg16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF) 277157571Sjmg16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 278157571Sjmg65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF) 279157571Sjmg 280157571Sjmg# ----------------- OpenBSD ----------------- 281157571Sjmg 282157571Sjmg16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6) 283157571Sjmg16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4 284157571Sjmg16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df) 285157571Sjmg57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4 286157571Sjmg57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df) 287157571Sjmg 288157571Sjmg65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:opera:OpenBSD 3.0-3.4 (Opera) 289157571Sjmg 290157571Sjmg# ----------------- Solaris ----------------- 291157571Sjmg 292157571SjmgS17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323 293157571SjmgS17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8 294157571SjmgS17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7 295157571Sjmg 296157571SjmgS6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7 297157571SjmgS23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1 298157571SjmgS34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9 299157571SjmgS44:255:1:44:M*: Solaris:2.7::Solaris 7 300157571Sjmg 301157571Sjmg# ----------------- IRIX -------------------- 302157571Sjmg 303157571Sjmg49152:64:0:44:M*: IRIX:6.4::IRIX 6.4 304157571Sjmg61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5 305157571Sjmg49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) 306157571Sjmg49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323) 307157571Sjmg 308157571Sjmg61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21 309157571Sjmg49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21 310157571Sjmg 311157571Sjmg# ----------------- Tru64 ------------------- 312157571Sjmg 313157571Sjmg32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 314157571Sjmg32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0 315157571Sjmg8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6) 316157571Sjmg 317157571Sjmg# This looks awfully Linuxish :/ 318157571Sjmg# S22:64:0:60:M*,S,T,N,W0: Tru64:5.0:a:Tru64 5.0a 319157571Sjmg 320157571Sjmg61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) 321157571Sjmg 322157571Sjmg 323157571Sjmg# ----------------- OpenVMS ----------------- 324157571Sjmg 325157571Sjmg6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack) 326157571Sjmg 327157571Sjmg# ----------------- MacOS ------------------- 328157571Sjmg 329157571Sjmg16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP) 330157571Sjmg16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP) 331157571Sjmg32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2 332157571Sjmg32768:64:0:60:M*,N,W0,N,N,T: MacOS:X:10.2:MacOS X 10.2 333157571Sjmg 334157571Sjmg# ----------------- Windows ----------------- 335157571Sjmg 336157571Sjmg# Windows 95 - need more: 337157571Sjmg 338157571Sjmg8192:32:1:44:M*: Windows:95::Windows 95 (low TTL) 339157574Sjmg 340157571Sjmg# Windows 98 - plenty of silly signatures: 341157571SjmgS44:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) 342157571Sjmg8192:32:1:48:M*,N,N,S: Windows:98::Windows 98 (low TTL) 343157571Sjmg 344157571Sjmg%8192:64:1:48:M*,N,N,S: Windows:98::Windows 98 (or newer XP/2000 with tweaked TTL) 345157571SjmgS4:64:1:48:M*,N,N,S: Windows:98::Windows 98 346157571SjmgS6:64:1:48:M*,N,N,S: Windows:98::Windows 98 347157574SjmgS12:64:1:48:M*,N,N,S: Windows:98::Windows 98 348157571Sjmg32767:64:1:48:M*,N,N,S: Windows:98::Windows 98 349157571Sjmg37300:64:1:48:M*,N,N,S: Windows:98::Windows 98 350157571Sjmg46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323) 351157571Sjmg65535:64:1:44:M*: Windows:98:noSACK:Windows 98 (no sack) 352157571Sjmg 353157571SjmgS16:128:1:48:M*,N,N,S: Windows:98::Windows 98 354157571SjmgS16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98 355157571SjmgS26:128:1:48:M*,N,N,S: Windows:98::Windows 98 356157571SjmgT30:128:1:48:M*,N,N,S: Windows:98::Windows 98 357157571Sjmg32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98 358157571Sjmg60352:128:1:48:M*,N,N,S: Windows:98::Windows 98 359157571Sjmg60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98 360157571Sjmg 361157571Sjmg# Windows NT 4.0 - need more: 362157571Sjmg 363157571Sjmg64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a 364157571Sjmg8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older) 365157571Sjmg6144:128:1:52:M*,W0,N,S,N,N: Windows:NT:4.0:Windows NT 4.0 (RFC1323) 366157571Sjmg 367157571Sjmg# Windows XP and 2000. Most of the signatures that were 368157571Sjmg# either dubious or non-specific (no service pack data) 369157571Sjmg# were deleted and replaced with generics at the end. 370157571Sjmg 371157571Sjmg65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 372157571Sjmg%8192:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1 373157571SjmgS45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4 374157571SjmgS6:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows XP SP1, 2000 SP4 375157571SjmgS44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP Pro SP1, 2000 SP3 376157571Sjmg 377157571SjmgS6:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1, 2000 SP4 378157571SjmgS44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP Pro SP1, 2000 SP3 379157571Sjmg64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1 380157571Sjmg32767:128:1:48:M1452,N,N,S: Windows:XP:SP1:Windows XP SP1 381157571Sjmg65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 382157571Sjmg%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1 383157571Sjmg 384157571Sjmg# Odds, ends, mods: 385157571Sjmg 386157571SjmgS52:128:1:48:M1260,N,N,S: Windows:XP:Cisco:Windows XP/2000 via Cisco 387157571SjmgS52:128:1:48:M1260,N,N,S: Windows:2000:Cisco:Windows XP/2000 via Cisco 388157571Sjmg 389157571Sjmg# HUNT DOWN: 390157571Sjmg# *:128:1:48:M*,N,N,S:U:@Windows:XP (leak) (PLEASE REPORT) 391157571Sjmg 392157571Sjmg# ----------------- HP/UX ------------------- 393157571Sjmg 394157574Sjmg32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20 395157571Sjmg32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0 396157571Sjmg32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11 397157571Sjmg32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11 398157571Sjmg 399157571Sjmg# Whoa. Hardcore WSS. 400157571Sjmg0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323) 401157571Sjmg 402157571Sjmg 403157571Sjmg# ----------------- RiscOS ------------------ 404157571Sjmg 405157571Sjmg# We don't yet support the ?12 TCP option 406157571Sjmg#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36 407157571Sjmg 408157571Sjmg# ----------------- BSD/OS ------------------ 409157571Sjmg 410157571Sjmg# Once again, power of two WSS is also shared by MacOS X with DF set 411157571Sjmg8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF) 412157571Sjmg8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2) 413157571Sjmg 414157571Sjmg 415157571Sjmg# ---------------- NewtonOS ----------------- 416157571Sjmg 417157571Sjmg4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 418157571Sjmg 419157571Sjmg# ---------------- NeXTSTEP ----------------- 420157571Sjmg 421157571SjmgS8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3 422157571Sjmg 423157571Sjmg# ------------------ BeOS ------------------- 424157571Sjmg 425157571Sjmg1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1 426157571Sjmg12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x 427157571Sjmg 428157571Sjmg# ------------------ OS/400 ----------------- 429157571Sjmg 430157571Sjmg8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5 431157571Sjmg8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5 432157571Sjmg4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032 433157571Sjmg 434157571Sjmg 435157571Sjmg# ------------------ ULTRIX ----------------- 436157571Sjmg 437157571Sjmg16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5 438157571Sjmg 439157571Sjmg# ------------------- QNX ------------------- 440157571Sjmg 441157571SjmgS16:64:0:44:M512: QNX:::QNX demodisk 442157571Sjmg 443157571Sjmg# ------------------ Novell ----------------- 444157571Sjmg 445157574Sjmg16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0 446157571Sjmg6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11 447157571Sjmg 448157571Sjmg# ----------------- SCO ------------------ 449157571SjmgS17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 450157571SjmgS17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06 451157571SjmgS3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1 452157571Sjmg 453157571Sjmg# ------------------- DOS ------------------- 454157571Sjmg 455157571Sjmg2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05 456157571Sjmg 457157571Sjmg########################################### 458157571Sjmg# Appliance / embedded / other signatures # 459157571Sjmg########################################### 460157571Sjmg 461157571Sjmg# ---------- Firewalls / routers ------------ 462157571Sjmg 463157571SjmgS12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) 464157571SjmgS12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) 465157571Sjmg4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x 466157571Sjmg60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x 467157571Sjmg 468157571Sjmg# ------- Switches and other stuff ---------- 469157571Sjmg 470157571Sjmg4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc 471157571SjmgS8:255:0:44:M*: Cisco:12008::Cisco 12008 472157571Sjmg60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch 473157571Sjmg64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client 474157571Sjmg 475157571Sjmg 476157571Sjmg# ---------- Caches and whatnots ------------ 477157571Sjmg 478157571SjmgS4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache 479157571Sjmg 480157571Sjmg32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x 481157571Sjmg16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1 482157571Sjmg65535:64:0:64:M1460,N,N,S,N,W3,N,N,T: NetApp:5.3:1:NetApp 5.3.1 483157571Sjmg65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow 484157571Sjmg8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1 485157571Sjmg 486157571SjmgS4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine 487157571Sjmg 488157571Sjmg27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based) 489157574Sjmg 490157571Sjmg65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler 491157571SjmgS1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg 492157571Sjmg 493157571Sjmg 494157571Sjmg16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?) 495157571Sjmg 496157574Sjmg# ----------- Embedded systems -------------- 497157571Sjmg 498157571SjmgS9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C 499157571SjmgS5:255:0:44:M536: PalmOS:3::PalmOS 3/4 500157571SjmgS5:255:0:44:M536: PalmOS:4::PalmOS 3/4 501157571SjmgS4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5 502157574Sjmg2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera) 503157571Sjmg 504157571SjmgS23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7 505157571Sjmg8192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?) 506157571Sjmg8192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?) 507157571Sjmg 508157571Sjmg 509157571Sjmg# Perhaps S4? 510157571Sjmg5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10 511157571Sjmg 512157571Sjmg32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002 513157571Sjmg 514157571SjmgS1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0 515157571Sjmg 516157571Sjmg4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0 517157571Sjmg 518157571SjmgS12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64 519157571Sjmg 520157571Sjmg 521157571Sjmg 522157571Sjmg#################### 523157571Sjmg# Fancy signatures # 524157571Sjmg#################### 525157571Sjmg 526157571Sjmg1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1) 527157571Sjmg2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2) 528157571Sjmg3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3) 529157571Sjmg4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4) 530157571Sjmg 531157571Sjmg1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1) 532157571Sjmg2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2) 533157574Sjmg3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3) 534157571Sjmg4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4) 535157571Sjmg 536157571Sjmg##################################### 537157571Sjmg# Generic signatures - just in case # 538157571Sjmg##################################### 539157571Sjmg 540157571Sjmg#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x 541157571Sjmg#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x 542157571Sjmg 543157571Sjmg*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp) 544157571Sjmg*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp) 545157571Sjmg*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323) 546157571Sjmg*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323) 547157571Sjmg*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+) 548157571Sjmg*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000 549157571Sjmg*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000 550157571Sjmg