Description: Running the packet capture through nfc (http://myweb.cableone.net/xnih/download/nfc.zip), we find out there 2 possible systems doing some type of scan: 10.42.42.25 and 10.42.42.253, looking at the shear number of scan packets, we can tell that 10.42.42.253 is the main system doing any type of scan. We can also looke at SYN, Connect, XMAS and NULL scan types and see that 10.42.42.253 shows up in all 4, where 10.42.42.25 only shows up in the Connect Scan. While 10.42.42.253 does do SYN, Connect, XMAS, NULL, and at least 1 port on UDP (probably during the OS fingerprinting part when looking for a closed UDP port). The first scan he does though is a TCP Connect Scan. We can see this by the flags and more importantly by the tcpoptions that are used. The general way we can break down the scan types is as follows (chunk of the delphi code used, due to having to have to port all the c code over to pascal on my own, source is not available, but general info on what was done is provided in the nfc downloaded zip file): if tcpflags = 'SA' then OpenPorts.Add(sl.Strings[x]) else if tcpflags = 'RA' then ClosedPorts.Add(sl.Strings[x]) else if tcpflags = 'R' then UnfilteredPorts.Add(sl.Strings[x]) else if (tcpflags = 'A') and (tcpoptions = '') then ACKScan.Add(sl.Strings[x]) else if tcpflags = '' then NullScan.Add(sl.Strings[x]) else if tcpflags = 'FPU' then XMASScan.Add(sl.Strings[x]) else if tcpflags = 'S' then begin if tcpoptions = 'M1460:.' then SynScan.Add(sl.Strings[x]) else //tcpoptions are going to be OS specific, so doing catch all for now ConnectScan.Add(sl.Strings[x]); end; The tcpoptions are the same data I use in Satori for passively identifying OS's. This is close to what p0f is doing and the general fingerprints are the same, though mine have been updated over the past few years. Looking through the summary info of NFC we can see that 3 machines were scanned: 10.42.42.25 10.42.42.50 10.42.42.56 Each saw a different number of ports scanned, this could be due to how NMAP's scripting engine works when it tries to OS fingerprint the remote system, though some of it could also be because of some of the interaction between these 3 hosts between each other when they started up their own conversations. For OS identification we now look at Satori (http://myweb.cableone.net/xnih/download/satori.zip). For this exercise some tweaks were made to a few of the fingerprinting dlls. While Satori wasn't designed to specifically parse nmap traffic, it can, though it is a bit slow due to the number of packets with tcpoptions. One of the dlls that was changed was the icmp one. Found under the pull down for "icmp". NMAP sends ICMP Type 8 packets with an ICMP Code of 9 (Languard sends with a 13, others may send with their own too, trying to elicit a different response with a valid and invalid code). For the TCP dll I modified it to identify more than just S and SA packets (where the original dll just drop all the others), we now process them and tag them, even ones that may be of no use with flags such as FA and PA. The main new useful ones were NULL and XMAS. I also updated the mtu text file under fingerprinting to add in the common MTU sizes that NMAP uses (305, 680, 1440). All of this can be found in the pull down for "tcp". Note: The downloadable version of Satori is quite old, but the updater program should be run after initial download, selecting ALL files, not just ones it marks as new since it looks at the last modified date, which typically is when you unextracted the file. Anyway, to determine each OS here we can look at the data that Satori provided: 10.42.42.253 - Linux 2.6 (p0f) or Solaris (ettercap) nothing in my DB to identify it 10.42.42.50 - Windows XP SP3 most likely, XP or 2000 (Satori), Windows 2000 (p0f), BSD or 2000 Server (ettercap) 10.42.42.56 - unknown across all passive fingerprinting 10.42.42.25 - unknown across all passive fingerprinting, but based on MAC and that alone Apple (could always be spoofed) if it is an OS X box, there is a Syn fingerprint that can be added to my DB. Based on the MAC, the Apple machine's MAC is: 00:16:CB:92:6E:DC Windows machines IP can be seen above. Using either NFC or Satori we can see that TCP ports 135 and 139 were open on it. NFC output: --------------------------------------- Types of Scans and General Info --------------------------------------- SYN Scan info: Start Time: 2010-02-02 17:43:10 Packet #: 6728 End Time: 2010-02-02 17:44:03 Packet #: 13525 System(s) appearing to do SYN Scans: 10.42.42.253=3745 System(s) appearing to be SYN Scanned: 10.42.42.25=1745 10.42.42.56=1000 10.42.42.50=1000 Connect Scan info: Start Time: 2010-02-02 17:34:06 Packet #: 1 End Time: 2010-02-02 17:44:12 Packet #: 13620 System(s) appearing to do Connect Scans: 10.42.42.253=3670 10.42.42.25=12 System(s) appearing to be Connect Scanned: 10.42.42.50=1024 10.42.42.56=1003 10.42.42.25=1655 XMAS Scan info: Start Time: 2010-02-02 17:44:10 Packet #: 13599 End Time: 2010-02-02 17:44:13 Packet #: 13624 System(s) appearing to do XMAS Scans: 10.42.42.253=4 System(s) appearing to be XMAS Scanned: 10.42.42.56=2 10.42.42.25=1 10.42.42.50=1 NULL Scan info: Start Time: 2010-02-02 17:44:10 Packet #: 13597 End Time: 2010-02-02 17:44:10 Packet #: 13597 System(s) appearing to do NULL Scans: 10.42.42.253=1 System(s) appearing to be NULL Scanned: 10.42.42.50=1 --------------------------------------- Summary --------------------------------------- List of Possible NMAP Scanning machines (and number of ports scanned): 10.42.42.25=12 10.42.42.253=7420 List of Possible Machines Scanned by NMAP System (and number of ports scanned): 10.42.42.25=3401 10.42.42.50=2025 10.42.42.56=2005 Systems with Open Ports: 10.42.42.50 - 135/tcp 10.42.42.50 - 139/tcp Systems with Unfiltered Ports: 10.42.42.25 - 1/tcp 10.42.42.253 - 36020/tcp 10.42.42.253 - 36119/tcp 10.42.42.253 - 36120/tcp 10.42.42.253 - 36121/tcp 10.42.42.253 - 36122/tcp 10.42.42.253 - 36123/tcp 10.42.42.253 - 36124/tcp 10.42.42.253 - 36131/tcp 10.42.42.253 - 36134/tcp 10.42.42.50 - 1/tcp 10.42.42.50 - 135/tcp 10.42.42.56 - 1/tcp Systems with Closed Ports: 10.42.42.25=2003 Port(s) not Shown 10.42.42.253=2 Port(s) not Shown 10.42.42.50=2000 Port(s) not Shown 10.42.42.56=2005 Port(s) not Shown No Results are perfect here since we are not taking into account where in the scan certain things happen. This is just a quick and dirty best guess based on what we are seeing. --- Satori being a GUI program will have to be downloaded and run.