When Nmap stores a fingerprint in memory, Nmap uses a tree of attributes andvalues in data structures that users need not even be aware of.But there is also a special ASCII-encoded version which Nmap can printfor users when a machine is unidentified. Thousands of theseserialized fingerprints are also read back every time Nmap runs (withOS detection enabled) from thenmap-os-db
database. Thefingerprint format is a compromise between human comprehension andbrevity. The format is so terse that it looks like line noise to manyinexperienced users, but those who read this document should be able todecipher fingerprints with ease. There are actually two types offingerprints, though they have the same general structure. Thefingerprints of known operating systems that Nmap reads in are calledreference fingerprints,while the fingerprint Nmap displays after scanning a system is asubject fingerprint.The reference fingerprints are a bit morecomplex since they can be tailored to match a whole class of operatingsystems by adding leeway to (or omitting) tests that aren't soreliable while allowing only a single possible value for other tests.The reference fingerprints also have OS details and classifications.Since the subject tests are simpler, we describe them first.
If Nmap performs OS fingerprinting on a host and doesn't get a perfectOS matches despite promising conditions (such as finding both open andclosed ports accessible on the target), Nmap prints a subject fingerprint thatshows all of the test results that Nmap deems relevant, then asks the user to submit the data to Nmap.Org. Tests aren'tshown when Nmap has no useful results, such as when the relevant proberesponses weren't received. A special line namedSCAN
gives extra details about the scan (such as Nmap versionnumber) that provide useful context for integrating fingerprintsubmissions into nmap-os-db
. A typical subjectfingerprint is shown in Example 8.3.
Map for mcpe. An.mmap file is a file format created by Mindjet for it’s mind mapping software, MindManager. These mmap files are also referred to as memory files, mind maps, etc. They can contain many different elements such as images, icons, equations, text, symbols, and more. MMAP(2) BSD System Calls Manual MMAP(2) NAME mmap- map files or devices into. Mac OS X specific: the file descriptor used for creating MAPANON regions can be used to pass some Mach VM flags, and can be specified as -1 if no such flags are associated with the region. Mindjet MindManager Viewer is suitable for Mac OS X 10.4.0 or later. The application's installer is commonly called mindmanagerviewer7.0.514.dmg or MindManager Viewer 7.0.514.dmg etc. This Mac download was scanned by our built-in antivirus and was rated as safe. This free software for Mac OS X was originally produced by Mindjet.
Many printers and scanners use driverless technologies such as AirPrint or IPP Everywhere, which don't require additional drivers on your Mac. But third-party drivers might still be available for older devices that do require a driver. Always check for software updates before connecting the device to your Mac for the first time. These fingerprint scanners and sensors are supported by our biometric products. Each device has 500 ppi resolution, unless a different resolution is mentioned in the Notes column. Please, click on a scanner name to view more information about it.
Example 8.3. A typical subject fingerprint
Now you may look at this fingerprint and immediately understandwhat everything means. If so, you can simply skip this section. ButI have never seen such a reaction. Many people probably think somesort of buffer overflow or unterminated string error is causing Nmap to spewgarbage data at them. This section helps you decode the informationso you can immediately tell thatblind TCP sequence predictionattacks against this machine are moderately hard, but it may make a goodidle scan (-sI
)zombie.The first step in understandingthis fingerprint is to fix the line wrapping. The tests are allsquished together, with each line wrapped at 71 characters. ThenOS:
is prepended to each line, raising the length to 74 characters.This makes fingerprints easy to cut and paste into the Nmapfingerprint submission form (see the section called “When Nmap Fails to Find a Match and Prints a Fingerprint”).Removing the prefix and fixing the word wrapping (each line should endwith a right parenthesis) leads to the cleaned-up version in Example 8.4.
Example 8.4. A cleaned-up subject fingerprint
While this still isn't the world's most intuitive format (we hadto keep it short), the format is much clearer now. Every line is acategory, such as SEQ
for the sequence generationtests, T3
for the results from that particular TCPprobe, and IE
for tests related to the two ICMPecho probes.
Following each test name is a pair of parentheses which encloseresults for individual tests. The tests take the format
.All of the possible categories, tests, and values are described inthe section called “TCP/IP Fingerprinting Methods Supported by Nmap”. Each pair of tests are separatedby a percentage symbol (%). Tests values can be empty, leading to apercentage symbol or category-terminating right-parenthesis immediatelyfollowing the equal sign. The string “<testname>
=<value>
O=%RD=0%Q=)
” inT4
of our example shows two of these empty tests.A blank test value must match another blank value, so this empty TCPquirks Q
value wouldn't match a fingerprint withQ
set to RU
.
In some cases, a whole test is missing rather than just itsvalue. For example, T2
of our sample fingerprinthas no W
(TCP window), S
(sequence number),A
(acknowledgment number), T
(TTL), or TG
(TTL guess) tests. Thisis because the one test and value it does include,R=N
, means that no response was returned for theT2
probe. So including a window value or sequencenumber would make little sense. Similarly, tests which aren't wellsupported on the system running Nmap are skipped. An example is theRID
(IP ID field returned in ICMP packet) test,which doesn't work well on Solaris because that system tends tocorrupt the ID
field Nmap sendsout.Tests which are inconclusive (such as failing to detect the IP ID sequence for theTI
, CI
, and II
tests) are alsoomitted.
Fingerprint For Mac Os Recovery Tool
The SCAN
line is a special case in a subject fingerprint. Rather than describe the target system, these tests describe various conditions of the scan. These help us integrate fingerprints submitted to Nmap.Org. The tests in this line are:
Mac Os List
Nmap version number (
V
).Date of scan (
D
) in the form month/day.Open and closed TCP ports (on target) used for scan (
OT
andCT
). Unlike most tests, these are printed in decimal format. If Nmap was unable to find an open or a closed port, the test is included with an empty value (even when Nmap guesses a possibly closed port and sends a probe there).Closed UDP port (
CU
). This is the same asCT
, but for UDP. Since the majority of scans don't include UDP, this test's value is usually empty.Private IP space(
PV
) isY
if the target is on the10.0.0.0/8
,172.16.0.0/12
, or192.168.0.0/16
private networks (RFC 1918). Otherwise it isN
.Network distance(
DS
) is the network hop distance from the target. It is0
if the target is localhost,1
if directly connected on an ethernet network, or the exact distance if discovered by Nmap. If the distance is unknown, this test is omitted.The distance calculation method (
DC
)indicates how the network distance (DS
) wascalculated. It can take on these values:L
forlocalhost (DS=0
);D
for a directsubnet connection (DS=1
);I
for aTTL calculation based on an ICMP response to theU1
OS detection probe; andT
for a count oftraceroute hops.This test exists because it is possible for the ICMP TTL calculation tobe incorrect when intermediate machines change the TTL; it distinguishesbetween a host that is truly directly connected and what may be just amiscalculation.Good results (
G
) isY
if conditions and results seem good enough to submit this fingerprint to Nmap.Org. It isN
otherwise. Unless you force them by enabling debugging (-d
) or extreme verbosity (-vv
),G=N
fingerprints aren't printed by Nmap.Target MAC prefix (
M
) is the first six hex digits of the target MAC address, which correspond to the vendor name. Leading zeros are not included. This field is omitted unless the target is on the same ethernet network (DS=1
).The OS scan time (
TM
) is provided in Unix time_t format (in hexadecimal).The platform Nmap was compiled for is given in the
P
field. Gross beat for mac free download.
When Nmap scans a target to create a subject fingerprint, itthen tries to match that data against the thousands ofreference fingerprints in thenmap-os-db
database. Reference fingerprints areinitially formed from one or more subject fingerprints and thus have much in common. They do have a bit of extra information to facilitatematching and of course to describe the operating systems theyrepresent. For example, the subject fingerprint we just looked atmight form the basis for the reference fingerprint in Example 8.5.
Example 8.5. A typical reference fingerprint
Some differences are immediately obvious. Line wrapping is notdone because that is only important for the submission process. TheSCAN
line is also removed, since that informationdescribes a specific scan instance rather than general target OScharacteristics.
You probably also noticed the new lines,Fingerprint
, Class
, andCPE
, which arenew to this reference fingerprint. A more subtle change is that someof the individual test results have been removed while others havebeen enhanced with logical expressions.
The Fingerprint
line first serves as a tokenso Nmap knows to start loading a new fingerprint. Each fingerprintonly has one such line. Immediately after the Fingerprint
token (and a space) comes a textualdescription of the operating system(s) represented by thisfingerprint. These are in free-form English text, designed for humaninterpretation rather than a machine parser. Nevertheless, Nmap triesto stick with a consistent format including the vendor, product name,and then version number. Version number ranges and comma-separatedalternatives discussed previously can be found in this field. Hereare some examples:
In an ideal world, every different OS wouldcorrespond to exactly one unique fingerprint. Unfortunately, OSvendors don't make life so easy for us. The same OS release mayfingerprint differently based on what network drivers are in use,user-configurable options, patch levels, processor architecture,amount of RAM available, firewall settings, and more. Sometimes thefingerprints differ for no discernible reason. While thereference fingerprint format has an expression syntax for coping withslight variations, creating multiple fingerprints for the same OS isoften preferable when major differences are discovered.
Just as multiple fingerprints are often needed for one OS,sometimes a single fingerprint describes several systems. If twosystems give the exact same results for every single test, Nmap haslittle choice but to offer up both as possibilities. This commonlyoccurs for several reasons. One is that vendors may release a newversion of their OS without any significant changes to their IP stack.Maybe they made important changes elsewhere in the system, or perhapsthey did little but want to make a bunch of money selling“upgrades”. In these cases, Nmap often prints a rangesuch as Apple Mac OS X 10.4.8 - 10.4.11
or Sun Solaris 9 or 10
.
Another cause of duplicate fingerprints is embedded deviceswhich share a common OS. For example, a printer from one vendor andan ethernet switch from another may actually share an embeddedOS from a third vendor. In many cases, subtle differences between thedevices still allow them to be distinguished. But sometimes Nmap mustsimply list a group of possibilities such asCisco 1200-series WAP, HP ProCurve 2650 switch, or XeroxPhaser 7400N or 8550DT printer
.
There are also cases where numerous vendors private label theexact same OEM device with their own brand name and model number.Here again, Nmap must simply list the possibilities. Butdistinguishing these is less important because they are allfundamentally the same device.
Tip |
---|
If the description printed by Nmap (which comes from the |
While the Fingerprint
description works great for analysts reading Nmap output directly, many people run Nmap from other scripts andapplications. Those applications might use the OS information tocheck for OS-specific vulnerabilities or just create a pretty graph orreport.
A more structured OS classification system exists forthese purposes. It is also useful when there are multiplematches. If you only get a partial fingerprint (maybe no open portswere found on the target so many tests had to be skipped), it mightmatch dozens of different fingerprints in thenmap-os-db
database. Printing thedetails for all of those fingerprints would be a mess. But thanks toOS classification, Nmap can find commonality. If all of the matchesare classified as Linux, Nmap will simply print that the target is aLinux box.
Every fingerprint has one or more Class
lines.Each contains four well-defined fields: vendor, OS family, OS generation,and device type. The fields are separated by the pipe symbol(|
).
The vendoris the company which makes an OS or device. Examples are Apple
, Cisco
, Microsoft
, and Linksys
. Forcommunity projects such as OpenBSD and Linux without a controllingvendor, the OS family name is repeated for the vendor column.
OS familyincludes products such as Windows
,Linux
, IOS
(for Cisco routers),Solaris
, and OpenBSD
. There are alsohundreds of devices such as switches, broadband routers, and printerswhich use undisclosed operating systems. When the underlying OSisn't clear, embedded
is used.
OS generationis a more granular description of the OS.Generations of Linux include 2.4.X
and2.6.X
, while Windows generations include95
, 98
, Me
,2000
, XP
, andVista
. FreeBSDuses generations such as 4.X
and5.X
. For obscure operating systems which wehaven't subdivided into generations (or whenever the OS is listedsimply as embedded
), this field is leftblank.
The device typeis a broad classification such asrouter
, printer
, orgame console
and was discussed previously in thischapter. General-purpose operating systems such as Linux
and Windows
which can be used for just about anything are classified as general purpose
.
Each field may contain just one value. When a fingerprintrepresents more than one possible combination of these four fields,multiple Class
lines are used. Example 8.6 provides some exampleFingerprint
lines followed by their correspondingclassifications.
Example 8.6. Some typical fingerprint descriptions and corresponding classifications
If these examples aren't enough, a listing of classificationsrecognized by the latest version of Nmap is maintained at http://nmap.org/data/os-classes.txt.
CPE
lines give Common Platform Enumerationequivalents of Class
lines. EachClass
may be followed by severalCPE
lines (CPE
lines always“belong” to the Class
line thatimmediately precedes them). It's common for one CPE name to describe theoperating system and another to describe the hardware platform. Adescription of CPE syntax and meaning can be found inthe section called “Common Platform Enumeration (CPE)”.
Example 8.7. Typical CPE classifications
The auto
flag that follows some CPE names is not partof CPE; it is only used internally by maintenance scripts to indicatethat a CPE name was automatically generated from other informationrather than inserted manually.
The test expressions don't have to changebetween a subject and reference fingerprint, but they almost alwaysdo. The reference fingerprint often needs to be generalized a littlebit to match all instances of a particular OS, rather than just themachine you are scanning. For example, some Windows XP machinesreturn a Window size of F424
to theT1
probe, while others returnFAF0
.This may be due to the particular ethernetdevice driver in use, or maybe how much memory is available. In anycase, we would like to detect Windows XP no matter which window sizeis used.
One way to generalize a fingerprint is to simply remove teststhat produce inconsistent results. Remove all of the window sizetests from a reference fingerprint, and systems will match that printno matter what size they use. The downside is that you can lose alot of important information this way. If the only Window sizes thata particular system ever sends are F424
andFAF0
, you really only want to allow those twovalues, not all 65,536 possibilities.
While removing tests is overkill in somesituations, it is useful in others. The R=Y
testvalue, meaning there was a response, is usually removed from theU1
and IE
tests before they areadded to nmap-os-db
. These probes are oftenblocked by a firewall, so the lack of a response should not countagainst the OS match.
When removing tests is undesirable, Nmap offers an expressionsyntax for allowing a test to match multiple values. For example, W=F424|FAF0
would allow those two Windows XP window values without allowing any others. Table 8.8 shows the permitted operators in test values.
Table 8.8. Reference fingerprint test expression operators
Op Name | Symbol | Example | Description |
---|---|---|---|
Or | | | O=|ME|MNNTNW | Matches if the corresponding subject fingerprint test takes the value of any of the clauses. In this example, the initial pipe symbol means that an empty options list will match too. |
Range | - | SP=7-A | Matches if the subject fingerprint's corresponding test produces a numeric value which falls within the range specified. |
Greater than | > | SP=>8 | Matches if the subject fingerprint's corresponding test produces a numeric value which is greater than the one specified. |
Less than | < | GCD=<5 | Matches if the subject fingerprint's corresponding test produces a numeric value which is less than the one specified. |
Expressions can combine operators, as in GCD=1-6|64|256|>1024
, which matches if the GCD
is between one and six, exactly 64, exactly 256, or greater than 1024.
Because the IPv6 classification engine works differently, it hasdifferent fingerprints. There are no reference fingerprints; instead aset of previously identified training examples is run through a trainingalgorithm, which outputs a large matrix of coefficients, one for eachfeature and OS class. Subject fingerprints use the same ASCII-armoredformat as IPv4, as shown inExample 8.8, “An IPv6 fingerprint”.
Example 8.8. An IPv6 fingerprint
Example 8.9, “A cleaned-up IPv6 fingerprint” shows what thisfingerprint looks like unwrapped. Most of the probes are omitted becausethey all have the same format.
Example 8.9. A cleaned-up IPv6 fingerprint
The SCAN
line has the same meaning as in IPv4fingerprints. The pseudo-test E=6
indicates that thisis an IPv6 fingerprint.
Work faster, with direct access to primary Pro Tools transport and editing functions literally at your fingertips. Designed for both Windows- and Mac-based Pro Tools systems, Pro Tools Custom Keyboards use the same symbols and color-coding system built into several Avid Pro Mixing control surfaces, while retaining all of the conventional alphanumeric labels that appear on standard computer. Some Pro Tools recording shortcuts use the same key commands as some Mac OS X shortcuts. If you want to retain use of these key commands in Pro Tools, these Mac OS X shortcuts must be disabled or remapped. Convention Action File Save Session Choose Save Session from the File menu. Command+N/Control+N Hold down the Command (Apple) key (Mac). A free and intuitive web app to help you memorize default Pro Tools 12 keyboard shortcuts. Pro tools shortcuts list. 122 time-saving Hotkeys for Pro Tools. Extensive, exportable, wiki-style reference lists for Keyboard Shortcuts/Hotkeys. Have you installed any software recently that might be using the same shortcut and taking precedent over Pro Tools? Check your keyboard is OK. On a Mac the easiest way to do this is to go into the Keyboard section of System Preferences and on the Keyboard section, make sure that “Show Keyboard & Character Viewers in menu bar” is enabled.
Then there is one line for each probe that received a response. Withineach of these there are three keys:
P
The contents of the packet, hex- and run-length–encoded. Whenevertwo digits are followed by a number in curly brackets, it means torepeat that byte the given number of times. For example,00{4}
is short for 00000000
. Thecharacters XX
are put in place of source anddestination addresses, which are private and anyway not useful fortraining the classifier.
ST
The time when the packet was sent, in seconds, relative to when OSdetection began.
RT
The time when the packet was received.
The EXTRA
line stores any other information thatcan't be determined purely from the packet contents. TheFL
key stores the flow label that was sent during thescan. This would always be 12345
, except that someoperating systems don't allow setting the flow label and always send00000
instead.
When a fingerprint like the one above is processed, it is converted toan internal representation as shown below. Each value is one element ofthe feature vector that is passed to the classifier. They correspond tothe features listed in the section called “List of all features”.
UNKNOWN
values usually mean that no response wasreceived to the relevant probe. UNKNOWN
values aremapped to −1 before classification.