118 172.16.2.234:23 Linux 2.1.xx 172.16.2.235:23 - Not Listen, try another port 172.16.2.236:23 Dead Host, Firewalled Port or Unassigned IP 172.16.2.237:23 Dead Host, Firewalled Port or Unassigned IP 172.16.2.238:23 Dead Host, Firewalled Port or Unassigned IP Notice from this example that mask selection doesnt have to fall on a class boundary. queso maintains a separate configuration file. If it doesnt recognize a system, it will prompt you to update this file: bsd1 queso -p23 205.153.60.1 205.153.60.1:23 - Unknown OS, pleez update usrlocaletcqueso.conf You can update this file with the -w option. queso can identify a hundred or so different systems. It is not a particularly fast program but gives acceptable results. It can take several seconds to scan each machine on the same subnet. If you invoke queso without any argument, it will provide a brief summary of its options.

6.3.3 nmap Revisited

You can also do stack fingerprinting with nmap by using the -O option: bsd1 nmap -O 172.16.2.230 Starting nmap V. 2.12 by Fyodor fyodordhp.com, www.insecure.orgnmap WARNING: OS didnt match until the 2 try Interesting ports on 172.16.2.230: Port State Protocol Service 21 open tcp ftp 80 open tcp http 135 open tcp loc-srv 139 open tcp netbios-ssn 443 open tcp https 1032 open tcp iad3 6666 open tcp irc-serv 7007 open tcp afs3-bos TCP Sequence Prediction: Class=trivial time dependency Difficulty=0 Trivial joke Remote operating system guess: Windows NT4 Win95 Win98 Nmap run completed—1 IP address 1 host up scanned in 5 seconds You can suppress most of the port information by specifying a particular port. For example: bsd1 nmap -p80 -O 172.16.2.230 Starting nmap V. 2.12 by Fyodor fyodordhp.com, www.insecure.orgnmap Interesting ports on 172.16.2.230: Port State Protocol Service 80 open tcp http TCP Sequence Prediction: Class=trivial time dependency Difficulty=0 Trivial joke Remote operating system guess: Windows NT4 Win95 Win98 Nmap run completed—1 IP address 1 host up scanned in 1 second 119 You will probably want to do this if you are scanning a range of machines to save time. However, if you dont restrict nmap to a single port, you are more likely to get a useful answer. Results can be vague at times. This is what nmap returned on one device: ... Remote OS guesses: Cisco Catalyst 1900 switch or Netopia 655-UPOTS ISDN Router, Datavoice TxPORT PRISM 3000 T1 CSUDSU 6.222.06, MultiTech CommPlete Controlle r, IBM MVS TCPIP stack V. 3.2, APC MasterSwitch Network Power Controller, AXIS or Meridian Data Network CD-ROM server, Meridian Data Network CD-ROM Server V4. 20 Nov 26 1997, WorldGroup BBS MajorBBS wTCPIP The correct answer is none of the above. A system that may not be recognized by nmap may be recognized by queso or vice versa.

6.4 Scripts