NMap之OS指纹识别解析

0.Nmap指纹探测原理

  OFP_UNSET,
  OFP_TSEQ,     --> sendTSeqProbe
  OFP_TOPS,     --> sendTOpsProbe
  OFP_TECN,     --> sendTEcnProbe
  OFP_T1_7,      -->  sendT1_7Probe
  OFP_TICMP,   -->  sendTIcmpProbe

  OFP_TUDP     -->  sendTUdpProbe

1)SEQ、OPS：发送6个TCP SYN包

• Packet #1: window scale (10), NOP, MSS (1460), timestamp (TSval: 0xFFFFFFFF; TSecr: 0), SACK permitted. The window field is 1.

• Packet #2: MSS (1400), window scale (0), SACK permitted, timestamp (TSval: 0xFFFFFFFF; TSecr: 0), EOL. The window field is 63.

• Packet #3: Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), NOP, NOP, window scale (5), NOP, MSS (640). The window field is 4.

• Packet #4: SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL. The window field is 4.

• Packet #5: MSS (536), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL. The window field is 16.

• Packet #6: MSS (265), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0). The window field is 512.

2)ECN：

Nmap tests this by sending a SYN packet which also has the ECN CWR and ECE congestion control flags set. For an unrelated (to ECN) test, the urgent field value of 0xF7F5 is used even though the urgent flag is not set. The acknowledgment number is zero, sequence number is random, window size field is three, and the reserved bit which immediately precedes the CWR bit is set. TCP options are WScale (10), NOP, MSS (1460), SACK permitted, NOP, NOP. The probe is sent to an open port.

If a response is received, the R, DF, T, TG, W, O, CC, and Q tests are performed and recorded.

3)T1_T7:

T1, contains various test values for packet #1. Those results are for the R, DF, T, TG, W, S, A, F, O, RD, and Q tests.Those tests are only reported for the first probe since they are almost always the same for each probe.

The six T2 through T7 tests each send one TCP probe packet. With one exception, the TCP options data in each case is (in hex) 03030A0102040109080AFFFFFFFF000000000402. Those 20 bytes correspond to window scale (10), NOP, MSS (265), Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), then SACK permitted. The exception is that T7 uses a Window scale value of 15 rather than 10. The variable characteristics of each probe are described below:
T2 sends a TCP null (no flags set) packet with the IP DF bit set and a window field of 128 to an open port.
T3 sends a TCP packet with the SYN, FIN, URG, and PSH flags set and a window field of 256 to an open port. The IP DF bit is not set.
T4 sends a TCP ACK packet with IP DF and a window field of 1024 to an open port.
T5 sends a TCP SYN packet without IP DF and a window field of 31337 to a closed port.
T6 sends a TCP ACK packet with IP DF and a window field of 32768 to a closed port.
T7 sends a TCP packet with the FIN, PSH, and URG flags set and a window field of 65535 to a closed port. The IP DF bit is not set.
In each of these cases, a line is added to the fingerprint with results for the R, DF, T, TG, W, S, A, F, O, RD, and Q tests.

4)ICMP：

ICMP echo (IE)

发送两个ICMP echo request包到目的主机，

第一个包有IP DF bit set，seq=295，tos=0x00, a random IP ID and ICMP request identifier

第二个包和第一个包除了tos=0x04，code=9，seq+1，其他的类似

5)UDP：

UDP (U1)
This probe is a UDP packet sent to a closed port. 
The character ‘C’ (0x43) is repeated 300 times for the data field. 
The IP ID value is set to 0x1042 for operating systems which allow us to set this. 
If the port is truly closed and there is no firewall in place, Nmap expects to receive an ICMP port unreachable message in return. 
That response is then subjected to the R, DF, T, TG, IPL, UN, RIPL, RID, RIPCK, RUCK, and RUD tests.

Response Tests
The previous section describes probes sent by Nmap, and this one completes the puzzle by describing the barrage of tests performed on responses. 
The short names (such as DF, R, and RIPCK) are those used in the nmap-os-db fingerprint database to save space. 
All numerical test values are given in hexadecimal notation, without leading zeros, unless noted otherwise. 
The tests are documented in roughly the order they appear in fingerprints.

一、基础知识

1.1 TCP

1.2 UDP

源端口号和目的端口号如上和TCP的相同。

UDP长度：UDP报文的字节长度（包括首部和数据）。

UDP校验和: 检验UDP首部和数据部分的正确性。

1.3 IP报文格式

版本：指IP协议的版本。

首部长度：首部的长度

服务类型：如下图：

其中优先级用来区别优先级别不同的IP报文。

D表示要求有更低的时延。

T表示要求有更高的吞吐量。

R表示要求有更高的可靠性。

总长度：报文的长度。

标识：由于数据报长度超过传输网络的MTU（最大传输单元)而必须分片，这个标识字段的值被复制到所有数据报分片的标识字段中，使得这些分片在达到最终的目的地时可以依照标识字段的内容重新组成原先的数据报。

标志：最低位是MF，MF=1时，表示后面还有分片。

           中间位的DF，DF=1时，表示不能分片。

片偏移： 和前面的数据分片相关，是本分片在原先数据报文中相对首位的偏移位。

生存时间：数据报在网络中存活的时间，所允许通过的路由器的最大数量，没通过一个路由器，该值自动减一，如果数值为0，路由器就可以把该数据报丢弃。

协议： 指出数据报携带的数据是使用何种协议，以便目的主机的IP层能知道次数据报上交到哪一个进程（不同协议有一个专门不同的进程处理）。

首部校验位和：对首部进行校验运算。

                          校验方法 ： 在发送端，将IP数据报首部划分为多个16位的二进制序列，并将首部校验和字段置为0，用反码运算将所有16位序列对位相加后，将得到多的

                                               和的反码写入首部校验和字段。接收端接收到数据报后，将数据报首部的所有字段组织成多个16位的二进制序列，再使用反码运算相加

                                               一次，将得到的结果取反。如果结果为0代表没出错，否则出错。

源地址：发送数据报的节点地址。

目的地址：接受数据报的节点地址。

1.4  ICMP报文格式

二.指纹库中每个字段的意思

# Cisco MDS 9216i SAN Switch OS version 3.1(3)
# Webcam Allnet 2210
# cisco san-os 3.2(1a) Hardware: Cisco MDS 9124
# Nortel IP Phone 1535
# Linux 2.4.24 #1 Mon Jan 3 15:37:16 EET 2005 i686 unknown, Debian GNU/Linux 3.0
Fingerprint Allnet 2210 webcam, Cisco MDS 9124 or 9216i switch (SAN-OS 3.1 - 3.2), or Nortel IP Phone 1535
Class Allnet | embedded || webcam
CPE cpe:/h:allnet:2210 auto
Class Cisco | SAN-OS | 3.X | switch
CPE cpe:/h:cisco:mds_9124
CPE cpe:/h:cisco:mds_9216i
CPE cpe:/o:cisco:san_os:3 auto
Class Nortel | embedded || VoIP phone
CPE cpe:/h:nortel:ip_phone_1535
SEQ(SP=B4-CF%GCD=1-6%ISR=BE-D4%TI=I%CI=Z%II=I%SS=S%TS=7)
OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=N%T=3B-45%TG=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=)
T1(R=Y%DF=N%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=N%T=3B-45%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=)
T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=3B-45%TG=40%CD=S)

1 Class 分类

格式：vendor | OS family | OS generation | and device type
vendor
OS family   如果不确定则填embedded
OS generation
device type
例如：
Fingerprint D-Link DSL-500G ADSL router
Class D-Link | embedded || broadband router

问题：如何获取？

2 CPE   

全称：（Common Platform Enumeration）
内容格式：
cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>
a for applications,
h for hardware platforms, or
o for operating systems.
即a是应用，h是硬件平台，o是操作系统

问题：如何获取？

3 SEQ

基于三次握手的第一次握手，nmap发送留个TCP SYN包，目标回复SYN/(ACK=seq+1)
第一个包
Packet #1：window scale (10)，NOP, MSS (1460), timestamp (TSval: 0xFFFFFFFF; TSecr: 0), SACK permitted. The window field is 1（win=1）
SENT (14.6294s) TCP [192.168.20.80:47970 > 192.168.20.80:22 S seq=669606725 ack=674377419 off=10 res=0 win=1 csum=0xF76F urp=0 <wscale 10,nop,mss 1460,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=58344 foff=0 ttl=37 proto=6 csum=0x07e3]
Send probe (type: OFP_TSEQ, subid: 0) to 192.168.20.80
RCVD (14.6294s) TCP [192.168.20.80:22 > 192.168.20.80:47970 SA seq=204937747 ack=669606726 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 63533023 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]


第二个包
Packet #2：MSS (1400), window scale (0), SACK permitted, timestamp (TSval: 0xFFFFFFFF; TSecr: 0), EOL. The window field is 63（win=63）
SENT (14.7301s) TCP [192.168.20.80:47971 > 192.168.20.80:22 S seq=669606726 ack=674377419 off=10 res=0 win=63 csum=0x016D urp=0 <mss 1400,wscale 0,sackOK,timestamp 4294967295 0,eol>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=24098 foff=0 ttl=53 proto=6 csum=0x7da9]
Send probe (type: OFP_TSEQ, subid: 1) to 192.168.20.80
RCVD (14.7301s) TCP [192.168.20.80:22 > 192.168.20.80:47971 SA seq=3909268209 ack=669606727 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 63533124 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]


第三个包
Packet #3： Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), NOP, NOP, window scale (5), NOP, MSS (640). The window field is 4.
SENT (14.8311s) TCP [192.168.20.80:47972 > 192.168.20.80:22 S seq=669606727 ack=674377419 off=10 res=0 win=4 csum=0x029E urp=0 <timestamp 4294967295 0,nop,nop,wscale 5,nop,mss 640>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=19182 foff=0 ttl=41 proto=6 csum=0x9cdd]
Send probe (type: OFP_TSEQ, subid: 2) to 192.168.20.80
RCVD (14.8311s) TCP [192.168.20.80:22 > 192.168.20.80:47972 SA seq=471192266 ack=669606728 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,nop,nop,timestamp 63533225 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]


第四个包
Packet #4：SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL. The window field is 4.
SENT (14.9322s) TCP [192.168.20.80:47973 > 192.168.20.80:22 S seq=669606728 ack=674377419 off=9 res=0 win=4 csum=0x0F24 urp=0 <sackOK,timestamp 4294967295 0,wscale 10,eol>] IP [ver=4 ihl=5 tos=0x00 iplen=56 id=7310 foff=0 ttl=39 proto=6 csum=0xcd41]
Send probe (type: OFP_TSEQ, subid: 3) to 192.168.20.80
RCVD (14.9322s) TCP [192.168.20.80:22 > 192.168.20.80:47973 SA seq=3526620290 ack=669606729 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 63533326 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]


第五个包
Packet #5：MSS (536), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL. The window field is 16.
SENT (15.0325s) TCP [192.168.20.80:47974 > 192.168.20.80:22 S seq=669606729 ack=674377419 off=10 res=0 win=16 csum=0xFAF5 urp=0 <mss 536,sackOK,timestamp 4294967295 0,wscale 10,eol>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=3721 foff=0 ttl=48 proto=6 csum=0xd242]
Send probe (type: OFP_TSEQ, subid: 3) to 192.168.20.80
RCVD (15.0325s) TCP [192.168.20.80:22 > 192.168.20.80:47974 SA seq=276907177 ack=669606730 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 63533426 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]


第六个包
Packet #6：MSS (265), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0). The window field is 512.
SENT (15.1329s) TCP [192.168.20.80:47975 > 192.168.20.80:22 S seq=669606730 ack=674377419 off=9 res=0 win=512 csum=0x171A urp=0 <mss 265,sackOK,timestamp 4294967295 0>] IP [ver=4 ihl=5 tos=0x00 iplen=56 id=58189 foff=0 ttl=55 proto=6 csum=0xf681]
Send probe (type: OFP_TSEQ, subid: 5) to 192.168.20.80
RCVD (15.0325s) TCP [192.168.20.80:22 > 192.168.20.80:47974 SA seq=276907177 ack=669606730 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 63533426 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]

3.1 SEQ：GCD, SP, ISR, TI, II, TS, and SS

结果：
SEQ(SP=104%GCD=1%ISR=10D%TI=Z%CI=RI%TS=A)
SEQ(SP=104%GCD=2%ISR=10D%TI=Z%TS=A)


第一步：记录6个回复TCP的SYN/ACK包中的seq、timestamp的值
第二步：计算相邻两个包(包1与包2、包2与包3)的ISN seq的差值seq_diffs[j - 1]、timestamp的差值ts_diffs[j - 1]以及
        每个包的发包所用的时间time_usec_diffs[j - 1]（每次发送包均记录时间，做差值即可）
第三步：计算没秒钟的ISN的增长速率seq_avg_rate
        seq_rates[j - 1] = seq_diffs[j - 1] * 1000000.0 / time_usec_diffs[j - 1];
        seq_avg_rate += seq_rates[j - 1];


计算GCD：
GCD:每个回复TCP的SYN/ACK都有一个初始***seq（ISN），此值计算的是packets平均seq增长值（可能会是6400倍数）
seq_gcd = gcd_n_uint(hss->si.responses -1, seq_diffs)
实现方式：seq_diffs[0]与seq_diffs[1]取余%，值大的做分1，值小做分子即：
          a= seq_diffs[0];
  b= seq_diffs[1];
  if(a<b)a与b互换
  while (b) {
            c = a % b;
            a = b;
            b = c;
          }
  依次取余直到余数为0，则返回值a就是gcd，然后再次循环
计算ISR
ISR：This value reports the average rate of increase for the returned TCP initial sequence number
      此处hss->si.responses = 6
      for (i = 0; i < hss->si.responses - 1; i++) {
        double rtmp = seq_rates[i] / div_gcd - seq_avg_rate / div_gcd;
        seq_stddev += rtmp * rtmp;
      }


      /* We divide by ((numelements in seq_diffs) - 1), which is
       * (si.responses - 2), because that gives a better approx of
       * std. dev when you're only looking at a subset of whole
       * population. */
      seq_stddev /= hss->si.responses - 2;


      /* 取平方根 Next we need to take the square root of this value */
      seq_stddev = sqrt(seq_stddev);


      /* Finally we take a binary logarithm, multiply by 8, and round
       * to get the final result */
      if (seq_stddev <= 1)
        hss->si.index = 0;
      else {
        seq_stddev = log(seq_stddev) / log(2.0);
        hss->si.index = (int) (seq_stddev * 8 + 0.5);
      }
ISR = ( log(seq_avg_rate/(6-1)) / log(2.0) )*8 + 0.5

TI：基于TCP SEQ 探测
CI：CI is from the responses to the three TCP probes sent to a closed port: T5, T6, and T7
II: II comes from the ICMP responses to the two IE ping probes
SS:

Shared IP ID sequence Boolean (SS)

This Boolean value records whether the target shares its IP ID sequence between the TCP and ICMP protocols. If our six TCP IP ID values are 117, 118, 119, 120, 121, and 122, then our ICMP results are 123 and 124, it is clear that not only are both sequences incremental, but they are both part of the same sequence. If, on the other hand, the TCP IP ID values are 117–122 but the ICMP values are 32,917 and 32,918, two different sequences are being used.

This test is only included if II is RI, BI, or I and TI is the same. If SS is included, the result is S if the sequence is shared and O (other) if it is not. That determination is made by the following algorithm:

Let avg be the final TCP sequence response IP ID minus the first TCP sequence response IP ID, divided by the difference in probe numbers. If probe #1 returns an IP ID of 10,000 and probe #6 returns 20,000, avg would be (20,000 − 10,000) / (6 − 1), which equals 2,000.

If the first ICMP echo response IP ID is less than the final TCP sequence response IP ID plus three times avg, the SS result is S. Otherwise it is O.

/* SS: Shared IP ID sequence boolean */
  if ((tcp_ipid_seqclass == IPID_SEQ_INCR ||
        tcp_ipid_seqclass == IPID_SEQ_BROKEN_INCR ||
        tcp_ipid_seqclass == IPID_SEQ_RPI) &&
       (icmp_ipid_seqclass == IPID_SEQ_INCR ||
        icmp_ipid_seqclass == IPID_SEQ_BROKEN_INCR ||
        icmp_ipid_seqclass == IPID_SEQ_RPI)) {
    /* Both are incremental. Thus we have "SS" test. Check if they
       are in the same sequence. */
    AV.attribute = "SS";
    u32 avg = (hss->ipid.tcp_ipids[good_tcp_ipid_num - 1] - hss->ipid.tcp_ipids[0]) / (good_tcp_ipid_num - 1);
    if (hss->ipid.icmp_ipids[0] < hss->ipid.tcp_ipids[good_tcp_ipid_num - 1] + 3 * avg) {
      AV.value = "S";
    } else {
      AV.value = "O";
    }
    seq_AVs.push_back(AV);
  }

3.2 OPS：

OPS contains the TCP options received for each of the probes (the test names are O1 through 06)

OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFFD7ST11NW7%O6=MFFD7ST11)
回复包1-->
RCVD (14.6294s) TCP [192.168.20.80:22 > 192.168.20.80:47970 SA seq=204937747 ack=669606726 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 63533023 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]
O1=MFFD7ST11NW7 取的包1回复的option表示
表示MFFD7-->Mss=FFD7，S->sackOK（Sack Permitted），T11-->timestamp两个值都不为0，N-->Nop, W7-->wscale 7

3.3 WIN：

the WIN line contains window sizes for the probe responses (named W1 through W6)

WIN(W1=AAAA%W2=AAAA%W3=AAAA%W4=AAAA%W5=AAAA%W6=AAAA)
返回报文中每个窗体的大小（16进制表示AAAA -->10进制win=43690）

3.4  ECN

例子：ECN(R=Y%DF=Y%T=40%W=AAAA%O=MFFD7NNSNW7%CC=Y%Q=)
SENT (26.1258s) TCP [192.168.20.80:50156 > 192.168.20.80:22 SEC seq=4101295814 ack=0 off=8 res=8 win=3 csum=0x342F urp=63477 <wscale 10,nop,mss 1460,sackOK,nop,nop>] IP [ver=4 ihl=5 tos=0x00 iplen=52 id=15418 foff=0 ttl=50 proto=6 csum=0xa299]
RCVD (26.0745s) TCP [192.168.20.80:22 > 192.168.20.80:50154 SA seq=3657440033 ack=4101295815 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 238105259 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]
R:    接收到回复Y
DF:   don't frag flag  flg=D
T:    TTL 64(10进制) --> 40(16进制)
W:    win=43690 --> AAAA
O:    O=MFFD7NNSNW7  对应的是该包的OPS
CC -->CC test values  Flags的值
  Value     Description
  Y         Only the ECE bit is set (not CWR). This host supports ECN.
  N         Neither of these two bits is set. The target does not support ECN.
  S         Both bits are set. The target does not support ECN, but it echoes back what it thinks is a reserved bit.
  O         The one remaining combination of these two bits (other).
Q:
如果在回复报文中的Reserved field of TCP is not zero ，保留字段reserved值非0，则Q=R
如果在回复报文中的URG pointer value when urg flag not set，则Q=U追加append
如果以上条件均不满足，则设置为空Q=

3.5 T1对应的是接收的6个包的响应报文

   T1, contains various test values for packet#1--> R, DF, T, TG, W, S, A, F, O, RD, and Q tests
   TCP (T2–T7)
The six T2 through T7 tests each send one TCP probe packet. With one exception, the TCP options data in each case is (in hex) 03030A0102040109080AFFFFFFFF000000000402. Those 20 bytes correspond to window scale (10), NOP, MSS (265), Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), then SACK permitted. The exception is that T7 uses a Window scale value of 15 rather than 10. The variable characteristics of each probe are described below:
T2 sends a TCP null (no flags set) packet with the IP DF bit set and a window field of 128 to an open port.
T3 sends a TCP packet with the SYN, FIN, URG, and PSH flags set and a window field of 256 to an open port. The IP DF bit is not set.
T4 sends a TCP ACK packet with IP DF and a window field of 1024 to an open port.
T5 sends a TCP SYN packet without IP DF and a window field of 31337 to a closed port.
T6 sends a TCP ACK packet with IP DF and a window field of 32768 to a closed port.
T7 sends a TCP packet with the FIN, PSH, and URG flags set and a window field of 65535 to a closed port. The IP DF bit is not set.
In each of these cases, a line is added to the fingerprint with results for the R, DF, T, TG, W, S, A, F, O, RD, and Q tests.

报文T2：
SENT (26.1527s) TCP [192.168.20.80:50158 > 192.168.20.80:22  seq=4101295814 ack=334571982 off=10 res=0 win=128 csum=0xD442 urp=0 <wscale 10,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=59679 flg=D foff=0 ttl=44 proto=6 csum=0xbbab]
RCVD (26.0743s) TCP [192.168.20.80:50154 > 192.168.20.80:22 S seq=4101295814 ack=334571982 off=10 res=0 win=16 csum=0xD3A6 urp=0 <mss 536,sackOK,timestamp 4294967295 0,wscale 10,eol>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=5796 foff=0 ttl=50 proto=6 csum=0xc827]

报文T3：
SENT (26.9129s) TCP [192.168.20.80:50159 > 192.168.20.80:22 SFPU seq=4101295814 ack=334571982 off=10 res=0 win=256 csum=0xD396 urp=0 <wscale 10,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=43780 foff=0 ttl=43 proto=6 csum=0x3ac7]

报文T4：
SENT (26.9390s) TCP [192.168.20.80:50160 > 192.168.20.80:22 A seq=4101295814 ack=334571982 off=10 res=0 win=1024 csum=0xD0B0 urp=0 <wscale 10,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=34395 flg=D foff=0 ttl=59 proto=6 csum=0x0f70]

报文T5：
SENT (26.9644s) TCP [192.168.20.80:50161 > 192.168.20.80:1 S seq=4101295814 ack=334571982 off=10 res=0 win=31337 csum=0x5A69 urp=0 <wscale 10,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=26929 foff=0 ttl=50 proto=6 csum=0x759a]

报文T6：
SENT (26.9901s) TCP [192.168.20.80:50162 > 192.168.20.80:1 A seq=4101295814 ack=334571982 off=10 res=0 win=32768 csum=0x54C3 urp=0 <wscale 10,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=3849 flg=D foff=0 ttl=55 proto=6 csum=0x8ac2]

报文T7：
SENT (27.0163s) TCP [192.168.20.80:50163 > 192.168.20.80:1 FPU seq=4101295814 ack=334571982 off=10 res=0 win=65535 csum=0xCFA9 urp=0 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=14543 foff=0 ttl=37 proto=6 csum=0xb2fc]
RCVD (26.1258s) TCP [192.168.20.80:22 > 192.168.20.80:50156 SAE seq=295768236 ack=4101295815 off=8 res=0 win=43690 csum=0xAA17 urp=0 <mss 65495,nop,nop,sackOK,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=52 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90d3]

例如：
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
SENT (14.6294s) TCP [192.168.20.80:47970 > 192.168.20.80:22 S seq=669606725 ack=674377419 off=10 res=0 win=1 csum=0xF76F urp=0 <wscale 10,nop,mss 1460,timestamp 4294967295 0,sackOK>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=58344 foff=0 ttl=37 proto=6 csum=0x07e3]
Send probe (type: OFP_TSEQ, subid: 0) to 192.168.20.80
RCVD (14.6294s) TCP [192.168.20.80:22 > 192.168.20.80:47970 SA seq=204937747 ack=669606726 off=10 res=0 win=43690 csum=0xAA1F urp=0 <mss 65495,sackOK,timestamp 63533023 4294967295,nop,wscale 7>] IP [ver=4 ihl=5 tos=0x00 iplen=60 id=0 flg=D foff=0 ttl=64 proto=6 csum=0x90cb]


R：接收到回复Y,否则N
DF：the Don't Fragment bit is set-->Y 
    否则-->N
T:  TTL(生存时间值Time To Live）
S:  ***的值
/* Seq test values:
     Z   = zero
     A   = same as ack
     A+  = ack + 1
     O   = other
  */
A:  ACK值
/* ACK test values:
     Z   = zero
     S   = same as syn
     S+  = syn + 1
     O   = other
  */
F: 标志位Flags
/* Flags. They must be in this order:
     E = ECN Echo
     U = Urgent
     A = Acknowledgement
     P = Push
     R = Reset
     S = Synchronize
     F = Final
  */
O: TCP Options
如果replayno ！= 0
取tcpMss

RD: Rst Data CRC32
Some operating systems return ASCII data such as error messages in reset packets. 
This is explicitly allowed by section 4.2.2.12 of RFC 1122. 
When Nmap encounters such data, it performs a CRC32 checksum and reports the results.
When there is no data, RD is set to zero. 
Some of the few operating systems that may return data in their reset packets are HP-UX and versions of Mac OS prior to Mac OS X.
  length = (int) ntohs(ip->ip_len) - 4 * ip->ip_hl -4 * tcp->th_off
  if ((tcp->th_flags & TH_RST) && length>0) {
    AV.value = string_pool_sprintf("%08lX", nbase_crc32(((u8 *)tcp) + 4 * tcp->th_off, length));
  } else {
    AV.value = "0";
  }

3.6 U1

示例：U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
具体处理见函数：processTUdpResp
SENT (26.0476s) UDP [192.168.20.80:50099 > 192.168.20.80:30451 len=308 csum=0xAF84] IP [ver=4 ihl=5 tos=0x00 iplen=328 id=4162 foff=0 ttl=63 proto=17 csum=0xc072]
This probe is a UDP packet sent to a closed port. 
The character ‘C’ (0x43) is repeated 300 times for the data field. 
The IP ID value is set to 0x1042 for operating systems which allow us to set this. 
If the port is truly closed and there is no firewall in place, Nmap expects to receive an ICMP port unreachable message in return. 
That response is then subjected to the R, DF, T, TG, IPL, UN, RIPL, RID, RIPCK, RUCK, and RUD tests.

TG：  IP initial time-to-live guess (TG)

IPL： IP total length (IPL)
This test records the total length (in octets) of an IP packet. 
It is only used for the port unreachable response elicited by the U1 test. 
That length varies by implementation because they are allowed to choose how much data from the original probe to include, as long as they meet the minimum RFC 1122 requirement. 
That requirement is to include the original IP header and at least eight bytes of data.

UN：  Unused port unreachable field nonzero (UN)
An ICMP port unreachable message header is eight bytes long, but only the first four are used.
RFC 792 states that the last four bytes must be zero. 
A few implementations (mostly ethernet switches and some specialized embedded devices) set it anyway. 
The value of those last four bytes is recorded in this field.

RIPL：Returned probe IP total length value (RIPL)

RID： Returned probe IP ID value (RID)

RIPCK：Integrity of returned probe IP checksum value (RIPCK)

RUCK： Integrity of returned probe UDP checksum (RUCK)

RUD：  Integrity of returned UDP data (RUD)

3.7 IE

例如：IE(R=Y%DFI=N%T=40%CD=S)
发送两个ICMP echo request包到目的主机，
第一个包有IP DF bit set，seq=295，tos=0x00, a random IP ID and ICMP request identifier
SENT (15.2341s) ICMP [192.168.20.80 > 192.168.20.80 Echo request (type=8/code=9) id=49370 seq=295] IP [ver=4 ihl=5 tos=0x00 iplen=148 id=64156 flg=D foff=0 ttl=52 proto=1 csum=0xa1db]
第二个包和第一个包除了tos=0x04，code=9，seq+1，其他的类似
SENT (15.2601s) ICMP [192.168.20.80 > 192.168.20.80 Echo request (type=8/code=0) id=49371 seq=296] IP [ver=4 ihl=5 tos=0x04 iplen=178 id=17595 foff=0 ttl=54 proto=1 csum=0x959b]

RCVD (15.2341s) ICMP [192.168.20.80 > 192.168.20.80 Echo request (type=8/code=9) id=49370 seq=295] IP [ver=4 ihl=5 tos=0x00 iplen=148 id=64156 flg=D foff=0 ttl=52 proto=1 csum=0xa1db]
RCVD (15.2341s) ICMP [192.168.20.80 > 192.168.20.80 Echo reply (type=0/code=9) id=49370 seq=295] IP [ver=4 ihl=5 tos=0x00 iplen=148 id=48305 foff=0 ttl=64 proto=1 csum=0x13c7]
RCVD (15.2601s) ICMP [192.168.20.80 > 192.168.20.80 Echo request (type=8/code=0) id=49371 seq=296] IP [ver=4 ihl=5 tos=0x04 iplen=178 id=17595 foff=0 ttl=54 proto=1 csum=0x959b]
RCVD (15.2601s) ICMP [192.168.20.80 > 192.168.20.80 Echo reply (type=0/code=0) id=49371 seq=296] IP [ver=4 ihl=5 tos=0x04 iplen=178 id=48312 foff=0 ttl=64 proto=1 csum=0x139e]

R：两个包均有回复则是Y。The R value is only true (Y) if both probes elicit responses
DFI:
/* DFI test values:
   * Y. Both set DF; (DF:don't fragment flag 不分片标志)
   * S. Both use the DF that the sender uses;
   * N. Both not set;
   * O. Other(both different with the sender, -_-b).
   */
T: ttl
/* ICMP Code value. Test values:
   * [Value]. Both set Code to the same value [Value];
   * S. Both use the Code that the sender uses;
   * O. Other.
   */
   64对应的HEX值为40

CD:
   如果code1 == code2,
       if code == 0,set CD=Z
       else set CD="%hX", code
   
   如果code1==9 , code2 ==0
      set CD="S"
   else
      set CD="O"