search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
at(1): Add missing fallthrough.
[dragonfly.git] / etc / pf.os
blobe285851e89bec5a458e2ee4b420e292bc3ce7b6c
1 # $FreeBSD: head/etc/pf.os 258865 2013-12-03 04:32:02Z eadler $
2 # $OpenBSD: pf.os,v 1.27 2016/09/03 17:08:57 sthen Exp $
3 # passive OS fingerprinting
4 # -------------------------
5 #
6 # SYN signatures. Those signatures work for SYN packets only (duh!).
7 #
8 # (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
9 # (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
10 #
11 # Permission to use, copy, modify, and distribute this software for any
12 # purpose with or without fee is hereby granted, provided that the above
13 # copyright notice and this permission notice appear in all copies.
14 #
15 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
16 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
17 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
18 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 #
23 #
24 # This fingerprint database is adapted from Michal Zalewski's p0f passive
25 # operating system package. The last database sync was from a Nov 3 2003
26 # p0f.fp.
27 #
28 #
29 # Each line in this file specifies a single fingerprint. Please read the
30 # information below carefully before attempting to append any signatures
31 # reported as UNKNOWN to this file to avoid mistakes.
32 #
33 # We use the following set metrics for fingerprinting:
34 #
35 # - Window size (WSS) - a highly OS dependent setting used for TCP/IP
36 # performance control (max. amount of data to be sent without ACK).
37 # Some systems use a fixed value for initial packets. On other
38 # systems, it is a multiple of MSS or MTU (MSS+40). In some rare
39 # cases, the value is just arbitrary.
40 #
41 # NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
42 # appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
43 # means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
44 # value of nn is not fixed (unlikely), just copy the Snn or Tnn token
45 # literally. If you know this device has a simple stack and a fixed
46 # MTU, you can however multiply S value by MSS, or T value by MSS+40,
47 # and put it instead of Snn or Tnn.
48 #
49 # If WSS otherwise looks like a fixed value (for example a multiple
50 # of two), or if you can confirm the value is fixed, please quote
51 # it literally. If there's no apparent pattern in WSS chosen, you
52 # should consider wildcarding this value.
53 #
54 # - Overall packet size - a function of all IP and TCP options and bugs.
55 #
56 # NEW SIGNATURE: Copy this value literally.
57 #
58 # - Initial TTL - We check the actual TTL of a received packet. It can't
59 # be higher than the initial TTL, and also shouldn't be dramatically
60 # lower (maximum distance is defined as 40 hops).
61 #
62 # NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
63 # You need to determine the initial TTL. The best way to do it is to
64 # check the documentation for a remote system, or check its settings.
65 # A fairly good method is to simply round the observed TTL up to
66 # 32, 64, 128, or 255, but it should be noted that some obscure devices
67 # might not use round TTLs (in particular, some shoddy appliances use
68 # "original" initial TTL settings). If not sure, you can see how many
69 # hops you're away from the remote party with traceroute or mtr.
70 #
71 # - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
72 # discovery. Others do not bother.
73 #
74 # NEW SIGNATURE: Copy this value literally.
75 #
76 # - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
77 # uses it to determine link type of the remote host.
78 #
79 # NEW SIGNATURE: Always wildcard this value, except for rare cases when
80 # you have an appliance with a fixed value, know the system supports only
81 # a very limited number of network interface types, or know the system
82 # is using a value it pulled out of nowhere. Specific unique MSS
83 # can be used to tell Google crawlbots from the rest of the population.
84 #
85 # - Window scaling (WSCALE) - this feature is used to scale WSS.
86 # It extends the size of a TCP/IP window to 32 bits. Some modern
87 # systems implement this feature.
88 #
89 # NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
90 # to zero or other low value. There's usually no need to wildcard this
91 # parameter.
92 #
93 # - Timestamp - some systems that implement timestamps set them to
94 # zero in the initial SYN. This case is detected and handled appropriately.
95 #
96 # - Selective ACK permitted - a flag set by systems that implement
97 # selective ACK functionality.
98 #
99 # - The sequence of TCP all options (MSS, window scaling, selective ACK
100 # permitted, timestamp, NOP). Other than the options previously
101 # discussed, p0f also checks for timestamp option (a silly
102 # extension to broadcast your uptime ;-), NOP options (used for
103 # header padding) and sackOK option (selective ACK feature).
104 #
105 # NEW SIGNATURE: Copy the sequence literally.
106 #
107 # To wildcard any value (except for initial TTL or TCP options), replace
108 # it with '*'. You can also use a modulo operator to match any values
109 # that divide by nnn - '%nnn'.
110 #
111 # Fingerprint entry format:
112 #
113 # wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
114 #
115 # wwww - window size (can be *, %nnn, Snn or Tnn). The special values
116 # "S" and "T" which are a multiple of MSS or a multiple of MTU
117 # respectively.
118 # ttt - initial TTL
119 # D - don't fragment bit (0 - not set, 1 - set)
120 # ss - overall SYN packet size
121 # OOO - option value and order specification (see below)
122 # OS - OS genre (Linux, Solaris, Windows)
123 # Version - OS Version (2.0.27 on x86, etc)
124 # Subtype - OS subtype or patchlevel (SP3, lo0)
125 # details - Generic OS details
126 #
127 # If OS genre starts with '*', p0f will not show distance, link type
128 # and timestamp data. It is useful for userland TCP/IP stacks of
129 # network scanners and so on, where many settings are randomized or
130 # bogus.
131 #
132 # If OS genre starts with @, it denotes an approximate hit for a group
133 # of operating systems (signature reporting still enabled in this case).
134 # Use this feature at the end of this file to catch cases for which
135 # you don't have a precise match, but can tell it's Windows or FreeBSD
136 # or whatnot by looking at, say, flag layout alone.
137 #
138 # Option block description is a list of comma or space separated
139 # options in the order they appear in the packet:
140 #
141 # N - NOP option
142 # Wnnn - window scaling option, value nnn (or * or %nnn)
143 # Mnnn - maximum segment size option, value nnn (or * or %nnn)
144 # S - selective ACK OK
145 # T - timestamp
146 # T0 - timestamp with a zero value
147 #
148 # To denote no TCP options, use a single '.'.
149 #
150 # Please report any additions to this file, or any inaccuracies or
151 # problems spotted, to the maintainers: lcamtuf@coredump.cx,
152 # frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
153 # capture of the relevant SYN packet(s)
154 #
155 # A test and submission page is available at
156 # http://lcamtuf.coredump.cx/p0f-help/
157 #
158 #
159 # WARNING WARNING WARNING
160 # -----------------------
161 #
162 # Do not add a system X as OS Y just because NMAP says so. It is often
163 # the case that X is a NAT firewall. While nmap is talking to the
164 # device itself, p0f is fingerprinting the guy behind the firewall
165 # instead.
166 #
167 # When in doubt, use common sense, don't add something that looks like
168 # a completely different system as Linux or FreeBSD or LinkSys router.
169 # Check DNS name, establish a connection to the remote host and look
170 # at SYN+ACK - does it look similar?
171 #
172 # Some users tweak their TCP/IP settings - enable or disable RFC1323
173 # functionality, enable or disable timestamps or selective ACK,
174 # disable PMTU discovery, change MTU and so on. Always compare a new rule
175 # to other fingerprints for this system, and verify the system isn't
176 # "customized" before adding it. It is OK to add signature variants
177 # caused by a commonly used software (personal firewalls, security
178 # packages, etc), but it makes no sense to try to add every single
179 # possible /proc/sys/net/ipv4 tweak on Linux or so.
180 #
181 # KEEP IN MIND: Some packet firewalls configured to normalize outgoing
182 # traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
183 # normalize packets. Signatures will not correspond to the originating
184 # system (and probably not quite to the firewall either).
185 #
186 # NOTE: Try to keep this file in some reasonable order, from most to
187 # least likely systems. This will speed up operation. Also keep most
188 # generic and broad rules near the end.
189 #
190
191 ##########################
192 # Standard OS signatures #
193 ##########################
194
195 # ----------------- AIX ---------------------
196
197 # AIX is first because its signatures are close to NetBSD, MacOS X and
198 # Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
199 # This is a shoddy hack, though.
200
201 45046:64:0:44:M*: AIX:4.3::AIX 4.3
202 16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier
203
204 16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
205 16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
206 32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
207 32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
208 65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
209 65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
210 65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1
211
212 # ----------------- Linux -------------------
213
214 # S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support)
215 512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
216 16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
217
218 # Endian snafu! Nelson says "ha-ha":
219 2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
220 64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
221
222
223 S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
224
225 S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy)
226 S3:64:1:60:M*,S,T,N,W0: Linux:2.4:.18-21:Linux 2.4.18 and newer
227 S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7
228 S4:64:1:60:M*,S,T,N,W0: Linux:2.6:.1-7:Linux 2.4/2.6 <= 2.6.7
229
230 S4:64:1:60:M*,S,T,N,W5: Linux:2.6::Linux 2.6 (newer, 1)
231 S4:64:1:60:M*,S,T,N,W6: Linux:2.6::Linux 2.6 (newer, 2)
232 S4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 3)
233 T4:64:1:60:M*,S,T,N,W7: Linux:2.6::Linux 2.6 (newer, 4)
234
235 S10:64:1:60:M*,S,T,N,W4: Linux:3.0::Linux 3.0
236
237 S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
238 S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
239 S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
240 S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
241
242 S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
243 S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
244 S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
245
246 # Popular cluster config scripts disable timestamps and
247 # selective ACK:
248 S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
249
250 # This needs to be investigated. On some systems, WSS
251 # is selected as a multiple of MTU instead of MSS. I got
252 # many submissions for this for many late versions of 2.4:
253 T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon)
254
255 # This happens only over loopback, but let's make folks happy:
256 32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local)
257 S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local)
258
259 # Opera visitors:
260 16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?)
261 32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?)
262
263 # Some fairly common mods:
264 S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
265 S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps
266
267
268 # ----------------- FreeBSD -----------------
269
270 16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.2
271 16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.2
272 16384:64:1:44:M*: FreeBSD:4.0-4.2::FreeBSD 2.0-4.2
273 16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
274
275 1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
276
277 57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
278 57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.9::FreeBSD 4.6-4.9
279
280 32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.1 (or MacOS X)
281 32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
282 65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.11::FreeBSD 4.8-5.2 (or MacOS X)
283 65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.8-5.2 (or MacOS X)
284 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2
285 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2
286
287 # XXX need quirks support
288 # 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
289 # 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
290 # 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3)
291 # 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323)
292
293 # 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps)
294
295 # ----------------- NetBSD ------------------
296
297 16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3
298 65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera)
299 16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6
300 16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF)
301 65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF)
302 65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF)
303 32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization)
304
305 # ----------------- OpenBSD -----------------
306
307 16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
308 16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8
309 16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df)
310 57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0
311 57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df)
312
313 65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera)
314
315 16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9
316 16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df)
317
318 16384:64:1:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1::OpenBSD 6.1
319 16384:64:0:64:M*,N,N,S,N,W6,N,N,T: OpenBSD:6.1:no-df:OpenBSD 6.1 (scrub no-df)
320
321 # ----------------- DragonFly BSD -----------------
322
323 57344:64:1:60:M*,N,W0,N,N,T: DragonFly:1.0:A:DragonFly 1.0A
324 57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:1.2-1.12::DragonFly 1.2-1.12
325 5840:64:1:60:M*,S,T,N,W4: DragonFly:2.0-2.1::DragonFly 2.0-2.1
326 57344:64:0:64:M*,N,W0,N,N,S,N,N,T: DragonFly:2.2-2.3::DragonFly 2.2-2.3
327 57344:64:0:64:M*,N,W5,N,N,S,N,N,T: DragonFly:2.4-2.7::DragonFly 2.4-2.7
328
329 # ----------------- Solaris -----------------
330
331 S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323
332 S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8
333 S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7
334
335 S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7
336 S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1
337 S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9
338 S44:255:1:44:M*: Solaris:2.7::Solaris 7
339
340 4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x
341
342 S34:64:1:52:M*,N,W0,N,N,S: Solaris:10:beta:Solaris 10 (beta)
343 32850:64:1:64:M*,N,N,T,N,W1,N,N,S: Solaris:10::Solaris 10 1203
344
345 # ----------------- IRIX --------------------
346
347 49152:64:0:44:M*: IRIX:6.4::IRIX 6.4
348 61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5
349 49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
350 49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
351
352 61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21
353 49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21
354
355 49152:60:0:64:M*,N,W2,N,N,T,N,N,S: IRIX:6.5:IP27:IRIX 6.5 IP27
356
357
358 # ----------------- Tru64 -------------------
359
360 32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4)
361 32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0
362 8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6)
363 61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
364
365 # ----------------- OpenVMS -----------------
366
367 6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
368
369 # ----------------- MacOS -------------------
370
371 # XXX Need EOL tcp opt support
372 # S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic
373
374 # XXX some of these use EOL too
375 16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
376 16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
377 16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP)
378 32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2
379 65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4)
380
381
382 # ----------------- Windows -----------------
383
384 # Windows TCP/IP stack is a mess. For most recent XP, 2000 and
385 # even 98, the patchlevel, not the actual OS version, is more
386 # relevant to the signature. They share the same code, so it would
387 # seem. Luckily for us, almost all Windows 9x boxes have an
388 # awkward MSS of 536, which I use to tell one from another
389 # in most difficult cases.
390
391 8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows)
392 S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95
393 8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b
394
395 # There were so many tweaking tools and so many stack versions for
396 # Windows 98 it is no longer possible to tell them from each other
397 # without some very serious research. Until then, there's an insane
398 # number of signatures, for your amusement:
399
400 S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
401 8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
402 %8192:64:1:48:M536,N,N,S: Windows:98::Windows 98
403 %8192:128:1:48:M536,N,N,S: Windows:98::Windows 98
404 S4:64:1:48:M*,N,N,S: Windows:98::Windows 98
405 S6:64:1:48:M*,N,N,S: Windows:98::Windows 98
406 S12:64:1:48:M*,N,N,S: Windows:98::Windows 98
407 T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
408 32767:64:1:48:M*,N,N,S: Windows:98::Windows 98
409 37300:64:1:48:M*,N,N,S: Windows:98::Windows 98
410 46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323)
411 65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack)
412 S16:128:1:48:M*,N,N,S: Windows:98::Windows 98
413 S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
414 S26:128:1:48:M*,N,N,S: Windows:98::Windows 98
415 T30:128:1:48:M*,N,N,S: Windows:98::Windows 98
416 32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98
417 60352:128:1:48:M*,N,N,S: Windows:98::Windows 98
418 60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98
419
420 # What's with 1414 on NT?
421 T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
422 64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
423 8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older)
424
425 # Windows XP and 2000. Most of the signatures that were
426 # either dubious or non-specific (no service pack data)
427 # were deleted and replaced with generics at the end.
428
429 65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
430 65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
431 %8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
432 %8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
433 S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3
434 S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3
435 S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1
436 S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1
437 40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
438
439 S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+
440 S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+
441 S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1
442 S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3
443 S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3
444 64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3
445 64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3
446 32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4
447 32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4
448
449 8192:128:1:52:M*,N,W2,N,N,S: Windows:Vista::Windows Vista/7
450
451 # Odds, ends, mods:
452
453 S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco
454 S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco
455 65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone
456 16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm?
457 2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server
458
459 44620:64:0:48:M*,N,N,S: Windows:ME::Windows ME no SP (?)
460 S6:255:1:48:M536,N,N,S: Windows:95:winsock2:Windows 95 winsock 2
461 32768:32:1:52:M1460,N,W0,N,N,S: Windows:2003:AS:Windows 2003 AS
462
463
464 # No need to be more specific, it passes:
465 # *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk
466 # there is an equiv similar generic sig w/o the quirk
467
468 # ----------------- HP/UX -------------------
469
470 32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20
471 32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0
472 32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11
473 32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11
474
475 # Whoa. Hardcore WSS.
476 0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323)
477
478 # ----------------- RiscOS ------------------
479
480 # We don't yet support the ?12 TCP option
481 #16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36
482 12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10
483
484 # XXX quirk
485 # 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00
486
487
488
489 # ----------------- BSD/OS ------------------
490
491 # Once again, power of two WSS is also shared by MacOS X with DF set
492 8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF)
493 8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2)
494
495
496 # ---------------- NewtonOS -----------------
497
498 4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1
499
500 # ---------------- NeXTSTEP -----------------
501
502 S4:64:0:44:M1024: NeXTSTEP:3.3::NeXTSTEP 3.3
503 S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3
504
505 # ------------------ BeOS -------------------
506
507 1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1
508 12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x
509
510 # ------------------ OS/400 -----------------
511
512 8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5
513 8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5
514 4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032
515
516 # XXX quirk
517 # 28672:64:0:44:M1460:A:OS/390:?
518
519 # ------------------ ULTRIX -----------------
520
521 16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5
522
523 # ------------------- QNX -------------------
524
525 S16:64:0:44:M512: QNX:::QNX demodisk
526
527 # ------------------ Novell -----------------
528
529 16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0
530 6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11
531 6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ?
532
533 6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3
534
535
536 # ----------------- SCO ------------------
537 S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
538 S17:64:1:60:M1380,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3
539 S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0
540
541 # ------------------- DOS -------------------
542
543 2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05
544 T2:255:0:44:M984: DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro)
545
546 # ------------------ OS/2 -------------------
547
548 S56:64:0:44:M512: OS/2:4::OS/2 4
549 28672:64:0:44:M1460: OS/2:4::OS/2 Warp 4.0
550
551 # ----------------- TOPS-20 -----------------
552
553 # Another hardcore MSS, one of the ACK leakers hunted down.
554 # XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7
555 0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7
556
557 # ----------------- FreeMiNT ----------------
558
559 S44:255:0:44:M536: FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari)
560
561 # ------------------ AMIGA ------------------
562
563 # XXX TCP option 12
564 # S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
565
566 # ------------------ Plan9 ------------------
567
568 65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4
569
570 # ----------------- AMIGAOS -----------------
571
572 16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX
573
574 ###########################################
575 # Appliance / embedded / other signatures #
576 ###########################################
577
578 # ---------- Firewalls / routers ------------
579
580 S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1)
581 S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2)
582 4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x
583
584 # XXX TCP option 12
585 # S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3
586 # S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026
587
588 S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50
589
590 8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway
591
592 S52:128:1:48:M1260,N,N,N,N: LinkSys:WRV54G::LinkSys WRV54G VPN router
593
594
595
596 # ------- Switches and other stuff ----------
597
598 4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc
599 S8:255:0:44:M*: Cisco:12008::Cisco 12008
600 60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch
601 64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client
602
603
604 # ---------- Caches and whatnots ------------
605
606 S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache
607
608 32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x
609 16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1
610 65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5
611 65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow
612 8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1
613 20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1
614
615 65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1
616 8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1
617
618 S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine
619
620 27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based)
621
622 65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler
623 S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg
624
625 16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?)
626
627 65535:255:0:48:M*,N,N,S: Redline:::Redline T|X 2200
628
629 32696:128:0:40:M1460: Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine
630
631 # ----------- Embedded systems --------------
632
633 S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C
634 S5:255:0:44:M536: PalmOS:3::PalmOS 3/4
635 S5:255:0:44:M536: PalmOS:4::PalmOS 3/4
636 S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5
637 2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera)
638 S29:255:0:44:M536: PalmOS:5::PalmOS 5.0
639 16384:255:0:44:M1398: PalmOS:5.2:Clie:PalmOS 5.2 (Clie)
640 S14:255:0:44:M1350: PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo)
641
642 S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7
643
644 8192:255:0:44:M1460: SymbianOS:6048::Symbian OS 6048 (Nokia 7650?)
645 8192:255:0:44:M536: SymbianOS:9210::Symbian OS (Nokia 9210?)
646 S22:64:1:56:M1460,T,S: SymbianOS:P800::Symbian OS ? (SE P800?)
647 S36:64:1:56:M1360,T,S: SymbianOS:6600::Symbian OS 60xx (Nokia 6600?)
648
649
650 # Perhaps S4?
651 5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10
652
653 32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002
654
655 S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0
656
657 4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0
658 T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027)
659 S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?)
660
661 S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64
662
663 3100:32:1:44:M1460: Windows:CE:2.0:Windows CE 2.0
664
665 ####################
666 # Fancy signatures #
667 ####################
668
669 1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1)
670 2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2)
671 3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3)
672 4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4)
673
674 # Requires quirks support
675 # 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1)
676 # 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2)
677 # 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3)
678 # 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4)
679
680 1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1)
681 2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2)
682 3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3)
683 4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4)
684
685 32767:64:0:40:.: *NAST:::NASTsyn scan
686
687 # Requires quirks support
688 # 12345:255:0:40:.:A:-p0f:sendsyn utility
689
690
691 #####################################
692 # Generic signatures - just in case #
693 #####################################
694
695 #*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
696 #*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
697
698 *:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
699 *:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
700 *:128:1:52:M*,N,W*,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
701 *:128:1:52:M*,N,W*,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
702 *:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323)
703 *:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323)
704 *:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+)
705 *:128:1:48:M536,N,N,S: @Windows:98::Windows 98
706 *:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
707 *:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000
708
709
DragonFly BSD