Nip Nop Mac OS

broken image


Nmap OS fingerprinting works by sending up to 16 TCP, UDP, and ICMPprobes to known open and closed ports of the target machine.These probes are specially designed to exploit various ambiguities inthe standard protocol RFCs. Then Nmap listens for responses. Dozens of attributes in those responses are analyzed andcombined to generate a fingerprint. Every probe packet is tracked andresent at least once if there is no response. All of the packets areIPv4 with a random IP ID value. Probes to an open TCP port are skippedif no such port has been found. For closed TCP or UDP ports, Nmapwill first check if such a port has been found. If not, Nmap willjust pick a port at random and hope for the best.

But the last official release of nopCommerce is 3.90, which is targeting.NET Framework 4.5.1. And if you want to run it on mac, definitely you cannot. But now as nopCommerce team announced upcoming version with.NET Core, yes you will be able to run it on mac too! You can try to clone your project from GitHub/nopCommerce. But the last official release of nopCommerce is 3.90, which is targeting.NET Framework 4.5.1. And if you want to run it on mac, definitely you cannot. But now as nopCommerce team announced upcoming version with.NET Core, yes you will be able to run it on mac too! You can try to clone your project from GitHub/nopCommerce.

The following sections are highly technical and reveal thehidden workings of Nmap OS detection. Nmap can be used effectivelywithout understanding this, though the material can help you betterunderstand remote networks and also detect and explain certainanomalies. Plus, some of the techniques are pretty cool. Readers ina hurry may skip to the section called 'Dealing with Misidentified and Unidentified Hosts'. Butfor those of you who are ready for a journey through TCP explicitcongestion notification, reserved UDP header bits, initial sequencenumbers, bogus flags, and Christmas tree packets: read on!

Even the best of us occasionally forget byte offsets for packetheader fields and flags. For quick reference, the IPv4, TCP, UDP, and ICMP header layouts can be found in the section called 'TCP/IP Reference'. The layout for ICMP echo request and destination unreachable packets are shown in Figure 8.1 and Figure 8.2.

Figure 8.1. ICMP echo request or reply header layout


Figure 8.2. ICMP destination unreachable header layout


This section describes each IP probe sent by Nmap as part ofTCP/IP fingerprinting. It refers to Nmap response tests and TCP options which are explained in the following section.

A series of six TCP probes is sent to generate these four test response lines. The probes are sent exactly 100 milliseconds apart so the total time taken is 500 ms. Exact timing is important as some of the sequence algorithms we detect (initial sequence numbers, IP IDs, and TCP timestamps) are time dependent. This timing value was chosen to take 500 ms so that we can reliably detect the common 2 Hz TCP timestamp sequences.

Each probe is a TCP SYN packet to a detected open port on the remote machine. The sequence and acknowledgment numbers are random (but saved so Nmap can differentiate responses). Detection accuracy requires probe consistency, so there is no data payload even if the user requested one with --data-length.

These packets vary in the TCP options they use and the TCP window field value. The following list provides the options and values for all six packets. The listed window field values do not reflect window scaling. EOL is the end-of-options-list option, which many sniffing tools don't show by default.

  • Packet #1: window scale (10), NOP, MSS (1460), timestamp (TSval: 0xFFFFFFFF; TSecr: 0), SACK permitted. The window field is 1.

  • Packet #2: MSS (1400), window scale (0), SACK permitted, timestamp (TSval: 0xFFFFFFFF; TSecr: 0), EOL. The window field is 63.

  • Packet #3: Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), NOP, NOP, window scale (5), NOP, MSS (640). The window field is 4.

  • Packet #4: SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL. The window field is 4.

  • Packet #5: MSS (536), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), window scale (10), EOL. The window field is 16.

  • Packet #6: MSS (265), SACK permitted, Timestamp (TSval: 0xFFFFFFFF; TSecr: 0). The window field is 512.

The resultsof these tests include four result category lines. The first,SEQ, contains results based on sequence analysisof the probe packets. These test results are GCD,SP, ISR, TI,II, TS, andSS.The next line, OPScontains the TCP options received for each of the probes (the test namesareO1 through 06).Similarly, the WIN line contains window sizes for the probe responses (namedW1 through W6).The final line related to these probes,T1, contains various test values for packet #1.Those results are for the R, DF,T, TG, W,S, A, F,O, RD, and Qtests.These tests are only reported for the first probe since they are almost always the same for each probe.

The IE test involves sending two ICMP echo request packets to the target. The first one has the IP DF bit set, a type-of-service (TOS) byte value of zero, a code of nine (even though it should be zero), the sequence number 295, a random IP ID and ICMP request identifier, and 120 bytes of 0x00 for the data payload.

The second ping query is similar, except a TOS of four (IP_TOS_RELIABILITY) is used, the code is zero, 150 bytes of data is sent, and the ICMP request ID and sequence numbers are incremented by one from the previous query values.

The results of both of these probes are combined into a IE line containing the R, DFI, T, TG, and CD tests. The R value is only true (Y) if both probes elicit responses. The T, and CD values are for the response to the first probe only, since they are highly unlikely to differ. DFI is a custom test for this special dual-probe ICMP case.

These ICMP probes follow immediately after the TCP sequence probes to ensure valid results of the shared IP ID sequence number test (see the section called 'Shared IP ID sequence Boolean (SS)').

This probe tests for explicit congestion notification (ECN) support in the target TCP stack. ECN is a method for improving Internet performance by allowing routers to signal congestion problems before they start having to drop packets. It is documented in RFC 3168. Nmap tests this by sending a SYN packet which also has the ECN CWR and ECE congestion control flags set. For an unrelated (to ECN) test, the urgent field value of 0xF7F5 is used even though the urgent flag is not set. The acknowledgment number is zero, sequence number is random, window size field is three, and the reserved bit which immediately precedes the CWR bit is set. TCP options are WScale (10), NOP, MSS (1460), SACK permitted, NOP, NOP. The probe is sent to an open port.

If a response is received, the R, DF, T, TG, W, O, CC, and Q tests are performed and recorded.

The six T2 through T7 tests each send one TCP probe packet. With one exception, the TCP options data in each case is (in hex) 03030A0102040109080AFFFFFFFF000000000402. Those 20 bytes correspond to window scale (10), NOP, MSS (265), Timestamp (TSval: 0xFFFFFFFF; TSecr: 0), then SACK permitted. The exception is that T7 uses a Window scale value of 15 rather than 10. The variable characteristics of each probe are described below:

  • T2 sends a TCP null (no flags set) packet with the IP DF bit set and a window field of 128 to an open port.

  • T3 sends a TCP packet with the SYN, FIN, URG, and PSH flags set and a window field of 256 to an open port. The IP DF bit is not set.

  • T4 sends a TCP ACK packet with IP DF and a window field of 1024 to an open port.

  • T5 sends a TCP SYN packet without IP DF and a window field of 31337 to a closed port.

  • T6 sends a TCP ACK packet with IP DF and a window field of 32768 to a closed port.

  • T7 sends a TCP packet with the FIN, PSH, and URG flags set and a window field of 65535 to a closed port. The IP DF bit is not set.

Nip Nop Mac OS

In each of these cases, a line is added to the fingerprint withresults for the R, DF,T, TG, W,S, A, F,O, RD, and Qtests.

This probe is a UDP packet sent to a closed port. The character ‘C' (0x43) is repeated 300 times for the data field. The IP ID value is set to 0x1042 for operating systems which allow us to set this. If the port is truly closed and there is no firewall in place, Nmap expects to receive an ICMP port unreachable message in return. That response is then subjected to the R, DF, T, TG, IPL, UN, RIPL, RID, RIPCK, RUCK, and RUD Boardroom blitz mac os. tests.

The previous section describes probes sent by Nmap, and thisone completes the puzzle by describing the barrage of tests performedon responses. The short names (such as DF,R, and RIPCK) are those used in thenmap-os-dbfingerprint database to save space. Allnumerical test values are given in hexadecimal notation, withoutleading zeros, unless noted otherwise. The tests are documented in roughly the order they appear in fingerprints.

The SEQ test sends six TCP SYN packets to anopen port of the target machine and collects SYN/ACK packets back.Each of these SYN/ACK packets contains a 32-bit initial sequencenumber (ISN). This test attempts to determine the smallest number bywhich the target host increments these values. For example, manyhosts (especially old ones) always increment the ISN in multiples of64,000.

The first step in calculating this is creating an array ofdifferences between probe responses. The first element is thedifference between the 1st and 2nd probe response ISNs. The secondelement is the difference between the 2nd and 3rd responses. Thereare five elements if Nmap receives responses to all six probes. Sincethe next couple of sections reference this array, we will call itdiff1. If an ISN is lower than the previous one,Nmap looks at both the number of values it would have to subtract fromthe first value to obtain the second, and the number of values itwould have to count up (including wrapping the 32-bit counter back tozero). The smaller of those two values is stored indiff1. So the difference between 0x20000 followedby 0x15000 is 0xB000. The difference between 0xFFFFFF00 and 0xC000 is0xC0FF. This test value then records the greatest common divisorof all those elements. This GCD is also used forcalculating the SP result.

This value reports the average rate of increase for the returnedTCP initial sequence number. Recall that a difference is taken between each twoconsecutive probe responses and stored in the previously discusseddiff1 array. Those differences are each divided bythe amount of time elapsed (in seconds—will generally be about 0.1)between sending the two probes which generated them. The result isan array, which we'll call seq_rates containing the rates of ISN counter increases per second. The array has one element for each diff1 value. An average is taken of the array values. If that average is less than one (e.g. a constant ISN isused), ISR is zero. OtherwiseISR is eight times the binary logarithm (log base-2) of thataverage value, rounded to the nearest integer.

While the ISR test measures the average rateof initial sequence number increments, this value measures the ISNvariability. It roughly estimates how difficult it would be topredict the next ISN from the known sequence of six probe responses.The calculation uses the difference array (seq_rates)and GCD values discussed in the previous section.

This test is only performed if at least four responses were seen.If the previously computed GCD value is greaterthan nine, the elements of the previously computedseq_rates array are divided by that value. Wedon't do the division for smaller GCD values because those are usuallycaused by chance. A standarddeviation of the array of the resultant values is then taken.If the result is one or less, SP is zero.Otherwise the binary logarithm of the result is computed, then it ismultiplied by eight, rounded to the nearest integer, and stored asSP.

Please keep in mind that this test is only done for OSdetection purposes and is not a full-blown audit of the target ISNgenerator. There are many algorithm weaknesses that lead to easypredictability even with a high SP value.

There are three tests that examine the IP header ID field ofresponses. TI is based on responses to the TCPSEQ probes. CI is from theresponses to the three TCP probes sent to a closed port:T5, T6, and T7.II comes from the ICMP responses to the twoIE ping probes. For TI, at leastthree responses must be received for the test to be included; forCI, at least two responses are required; and forII, both ICMP responses must be received.

For each of these tests, the target's IP ID generation algorithmis classified based on the algorithm below. Minor differences betweentests are noted. Note that difference values assume thatthe counter can wrap. So the difference between an IP ID of 65,100followed by a value of 700 is 1,136. The difference between 2,000followed by 1,100 is 64,636. Here are the calculation details:

  1. If all of the ID numbers are zero, the value of the test is Z.

  2. If the IP ID sequence ever increases by at least 20,000, the value is RD (random). This result isn't possible for II because there are not enough samples to support it.

  3. If all of the IP IDs are identical, the test is set to that value in hex.

  4. If any of the differences between two consecutive IDs exceeds 1,000, and is not evenly divisible by 256, the test's value is RI (random positive increments). If the difference is evenly divisible by 256, it must be at least 256,000 to cause this RI result.

  5. If all of the differences are divisible by 256 and no greater than 5,120, the test is set to BI (broken increment). This happens on systems like Microsoft Windows where the IP ID is sent in host byte order rather than network byte order. It works fine and isn't any sort of RFC violation, though it does give away host architecture details which can be useful to attackers.

  6. If all of the differences are less than ten, the value is I (incremental). We allow difference up to ten here (rather than requiring sequential ordering) because traffic from other hosts can cause sequence gaps.

  7. If none of the previous steps identify the generation algorithm, the test is omitted from the fingerprint.

This Boolean value records whether the target shares its IP ID sequencebetween the TCP and ICMP protocols. If our six TCP IP ID values are117, 118, 119, 120, 121, and 122, then our ICMP results are 123 and 124,it is clear that not only are both sequences incremental, but they areboth part of the same sequence. If, on the other hand, the TCP IP IDvalues are 117–122 but the ICMP values are 32,917 and 32,918, twodifferent sequences are being used.

This test is only included if II isRI, BI, or Iand TI is the same. If SS isincluded, the result is S if the sequence is sharedand O (other) if it is not. That determination ismade by the following algorithm:

Let avg be the final TCP sequence responseIP ID minus the first TCP sequence response IP ID, divided by thedifference in probe numbers. If probe #1 returns an IP ID of 10,000and probe #6 returns 20,000, avg would be (20,000 −10,000) / (6 − 1), which equals 2,000.

If the first ICMP echo response IP ID is less than the final TCPsequence response IP ID plus three times avg, theSS result is S. Otherwise it isO.

TS is another test which attempts todetermine target OS characteristics based on how it generates aseries of numbers. This one looks at the TCP timestamp option (ifany) in responses to the SEQ probes. It examinesthe TSval (first four bytes of the option) rather than the echoedTSecr (last four bytes) value. It takes the difference between eachconsecutive TSval and divides that by the amount of time elapsedbetween Nmap sending the two probes which generated those responses.The resultant value gives a rate of timestamp increments per second.Nmap computes the average increments per second over all consecutiveprobes and then calculates the TS asfollows:

  1. If any of the responses have no timestamp option, TS is set to U (unsupported).

  2. If any of the timestamp values are zero, TS is set to 0.

  3. If the average increments per second falls within the ranges 0-5.66, 70-150, or 150-350, TS is set to 1, 7, or 8, respectively. These three ranges get special treatment because they correspond to the 2 Hz, 100 Hz, and 200 Hz frequencies used by many hosts.

  4. In all other cases, Nmap records the binary logarithm of the average increments per second, rounded to the nearest integer. Since most hosts use 1,000 Hz frequencies, A is a common result.

Mac

In each of these cases, a line is added to the fingerprint withresults for the R, DF,T, TG, W,S, A, F,O, RD, and Qtests.

This probe is a UDP packet sent to a closed port. The character ‘C' (0x43) is repeated 300 times for the data field. The IP ID value is set to 0x1042 for operating systems which allow us to set this. If the port is truly closed and there is no firewall in place, Nmap expects to receive an ICMP port unreachable message in return. That response is then subjected to the R, DF, T, TG, IPL, UN, RIPL, RID, RIPCK, RUCK, and RUD Boardroom blitz mac os. tests.

The previous section describes probes sent by Nmap, and thisone completes the puzzle by describing the barrage of tests performedon responses. The short names (such as DF,R, and RIPCK) are those used in thenmap-os-dbfingerprint database to save space. Allnumerical test values are given in hexadecimal notation, withoutleading zeros, unless noted otherwise. The tests are documented in roughly the order they appear in fingerprints.

The SEQ test sends six TCP SYN packets to anopen port of the target machine and collects SYN/ACK packets back.Each of these SYN/ACK packets contains a 32-bit initial sequencenumber (ISN). This test attempts to determine the smallest number bywhich the target host increments these values. For example, manyhosts (especially old ones) always increment the ISN in multiples of64,000.

The first step in calculating this is creating an array ofdifferences between probe responses. The first element is thedifference between the 1st and 2nd probe response ISNs. The secondelement is the difference between the 2nd and 3rd responses. Thereare five elements if Nmap receives responses to all six probes. Sincethe next couple of sections reference this array, we will call itdiff1. If an ISN is lower than the previous one,Nmap looks at both the number of values it would have to subtract fromthe first value to obtain the second, and the number of values itwould have to count up (including wrapping the 32-bit counter back tozero). The smaller of those two values is stored indiff1. So the difference between 0x20000 followedby 0x15000 is 0xB000. The difference between 0xFFFFFF00 and 0xC000 is0xC0FF. This test value then records the greatest common divisorof all those elements. This GCD is also used forcalculating the SP result.

This value reports the average rate of increase for the returnedTCP initial sequence number. Recall that a difference is taken between each twoconsecutive probe responses and stored in the previously discusseddiff1 array. Those differences are each divided bythe amount of time elapsed (in seconds—will generally be about 0.1)between sending the two probes which generated them. The result isan array, which we'll call seq_rates containing the rates of ISN counter increases per second. The array has one element for each diff1 value. An average is taken of the array values. If that average is less than one (e.g. a constant ISN isused), ISR is zero. OtherwiseISR is eight times the binary logarithm (log base-2) of thataverage value, rounded to the nearest integer.

While the ISR test measures the average rateof initial sequence number increments, this value measures the ISNvariability. It roughly estimates how difficult it would be topredict the next ISN from the known sequence of six probe responses.The calculation uses the difference array (seq_rates)and GCD values discussed in the previous section.

This test is only performed if at least four responses were seen.If the previously computed GCD value is greaterthan nine, the elements of the previously computedseq_rates array are divided by that value. Wedon't do the division for smaller GCD values because those are usuallycaused by chance. A standarddeviation of the array of the resultant values is then taken.If the result is one or less, SP is zero.Otherwise the binary logarithm of the result is computed, then it ismultiplied by eight, rounded to the nearest integer, and stored asSP.

Please keep in mind that this test is only done for OSdetection purposes and is not a full-blown audit of the target ISNgenerator. There are many algorithm weaknesses that lead to easypredictability even with a high SP value.

There are three tests that examine the IP header ID field ofresponses. TI is based on responses to the TCPSEQ probes. CI is from theresponses to the three TCP probes sent to a closed port:T5, T6, and T7.II comes from the ICMP responses to the twoIE ping probes. For TI, at leastthree responses must be received for the test to be included; forCI, at least two responses are required; and forII, both ICMP responses must be received.

For each of these tests, the target's IP ID generation algorithmis classified based on the algorithm below. Minor differences betweentests are noted. Note that difference values assume thatthe counter can wrap. So the difference between an IP ID of 65,100followed by a value of 700 is 1,136. The difference between 2,000followed by 1,100 is 64,636. Here are the calculation details:

  1. If all of the ID numbers are zero, the value of the test is Z.

  2. If the IP ID sequence ever increases by at least 20,000, the value is RD (random). This result isn't possible for II because there are not enough samples to support it.

  3. If all of the IP IDs are identical, the test is set to that value in hex.

  4. If any of the differences between two consecutive IDs exceeds 1,000, and is not evenly divisible by 256, the test's value is RI (random positive increments). If the difference is evenly divisible by 256, it must be at least 256,000 to cause this RI result.

  5. If all of the differences are divisible by 256 and no greater than 5,120, the test is set to BI (broken increment). This happens on systems like Microsoft Windows where the IP ID is sent in host byte order rather than network byte order. It works fine and isn't any sort of RFC violation, though it does give away host architecture details which can be useful to attackers.

  6. If all of the differences are less than ten, the value is I (incremental). We allow difference up to ten here (rather than requiring sequential ordering) because traffic from other hosts can cause sequence gaps.

  7. If none of the previous steps identify the generation algorithm, the test is omitted from the fingerprint.

This Boolean value records whether the target shares its IP ID sequencebetween the TCP and ICMP protocols. If our six TCP IP ID values are117, 118, 119, 120, 121, and 122, then our ICMP results are 123 and 124,it is clear that not only are both sequences incremental, but they areboth part of the same sequence. If, on the other hand, the TCP IP IDvalues are 117–122 but the ICMP values are 32,917 and 32,918, twodifferent sequences are being used.

This test is only included if II isRI, BI, or Iand TI is the same. If SS isincluded, the result is S if the sequence is sharedand O (other) if it is not. That determination ismade by the following algorithm:

Let avg be the final TCP sequence responseIP ID minus the first TCP sequence response IP ID, divided by thedifference in probe numbers. If probe #1 returns an IP ID of 10,000and probe #6 returns 20,000, avg would be (20,000 −10,000) / (6 − 1), which equals 2,000.

If the first ICMP echo response IP ID is less than the final TCPsequence response IP ID plus three times avg, theSS result is S. Otherwise it isO.

TS is another test which attempts todetermine target OS characteristics based on how it generates aseries of numbers. This one looks at the TCP timestamp option (ifany) in responses to the SEQ probes. It examinesthe TSval (first four bytes of the option) rather than the echoedTSecr (last four bytes) value. It takes the difference between eachconsecutive TSval and divides that by the amount of time elapsedbetween Nmap sending the two probes which generated those responses.The resultant value gives a rate of timestamp increments per second.Nmap computes the average increments per second over all consecutiveprobes and then calculates the TS asfollows:

  1. If any of the responses have no timestamp option, TS is set to U (unsupported).

  2. If any of the timestamp values are zero, TS is set to 0.

  3. If the average increments per second falls within the ranges 0-5.66, 70-150, or 150-350, TS is set to 1, 7, or 8, respectively. These three ranges get special treatment because they correspond to the 2 Hz, 100 Hz, and 200 Hz frequencies used by many hosts.

  4. In all other cases, Nmap records the binary logarithm of the average increments per second, rounded to the nearest integer. Since most hosts use 1,000 Hz frequencies, A is a common result.

This test records the TCP header options in a packet. Itpreserves the original ordering and also provides some informationabout option values. Because RFC 793 doesn'trequire any particular ordering, implementations often come up withunique orderings. Some platforms don't implement all options (they are, of course, optional). When you combine all of those permutations with thenumber of different option values that implementations use, this testprovides a veritable trove of information. The value for this test isa string of characters representing the options being used. Several options take arguments that comeimmediately after the character. Supported options and arguments areall shown in Table 8.1.

Table 8.1. O test values

Option NameCharacterArgument (if any)
End of Options List (EOL)L
No operation (NOP)N
Maximum Segment Size (MSS)MThe value is appended. Many systems echo the value used in the corresponding probe.
Window Scale (WS)WThe actual value is appended.
Timestamp (TS)TThe T is followed by two binary characters representing the TSval and TSecr values respectively. The characters are 0 if the field is zero and 1 otherwise.
Selective ACK permitted (SACK)S

As an example, the string M5B4NW3NNT11 means thepacket includes the MSS option (value 0x5B4) followed by a NOP. Nextcomes a window scale option with a value of three, then two moreNOPs. The final option is a timestamp, and neither of its two fieldswere zero. If there are no TCP options in a response, the test will exist but the value string will be empty. If no probe was returned, the test is omitted.

While this test is generally named O, the sixprobes sent for sequence generation purposes are a special case.Those are inserted into the special OPS test line andtake the names O1 through O6 to distinguish which probe packet they relate to. The 'O' stands for 'options'.Despite the different names, each test O1 through O6 is processed exactly the same way as the other O tests.

This test simply records the 16-bit TCP window size of the receivedpacket. It is quite effective, since there are more than 80values that at least one OS is known to send. A down side is thatsome operating systems have more than a dozen possible values by themselves. This leads to false negative results until we collect all of the possible window sizes used by an operating system.

While this test is generally named W, the sixprobes sent for sequence generation purposes are a special case. Thoseare inserted into aspecial WIN test line and take the namesW1 through W6. The window size isrecorded for all of the sequence number probes because they differ inTCP MSS option values, which causes some operatingsystems to advertise a different window size. Despite the differentnames, each test is processed exactly the same way.

This test simply records whether the target responded to a given probe. Possible values are Y and N. If there is no reply, remaining fields for the test are omitted.

A risk with this test involves probes that aredropped by a firewall. This leads to R=N in thesubject fingerprint. Yet the reference fingerprint innmap-os-db may have R=Y if thetarget OS usually replies. Thus the firewall could prevent proper OSdetection. To reduce this problem, reference fingerprints generally omitthe R=Y test from the IE andU1 probes, which are the ones most likely to bedropped. In addition, if Nmap is missing a closed TCPport for a target, it will not setR=N for the T5, T6, or T7 tests even if the port it tries is non-responsive.After all, the lack of a closed port may be because they are allfiltered.

The IP header contains a single bit which forbids routers fromfragmenting a packet. If the packet is too large for routers tohandle, they will just have to drop it (and ideally return a'destination unreachable, fragmentation needed'response). This test records Y if the bit is set,and N if it isn't.

This is simply a modified version of the DFtest that is used for the special IE probes. Itcompares results of the don't fragment bit for the two ICMP echorequest probes sent. It has four possible values, which areenumerated in Table 8.2.

Table 8.2. DFI test values

ValueDescription
NNeither of the ping responses have the DF bit set.
SBoth responses echo the DF value of the probe.
YBoth of the response DF bits are set.
OThe one remaining other combination—both responses have the DF bit toggled.

IP packets contain a field named time-to-live (TTL) which isdecremented every time they traverse a router. If the field reaches zero, the packet must be discarded.This prevents packets from looping endlessly. Because operatingsystems differ on which TTL they start with, it can be used for OSdetection. Nmap determines how many hops away it is from the targetby examining the ICMP port unreachable response to theU1 probe. That response includes the original IPpacket, including the already-decremented TTL field, received by thetarget. By subtracting that value from our as-sent TTL, we learn howmany hops away the machine is. Nmap then adds thathop distanceto the probe response TTL to determine what the initial TTL was when thatICMP probe response packet was sent. That initial TTL value is storedin the fingerprint as the T result.

Even though an eight-bit field like TTL can never hold valuesgreater than 0xFF, this test occasionally results in values of 0x100or higher. This occurs when a system (could be the source, a target,or a system in between) corrupts or otherwise fails to correctlydecrement the TTL. It can also occur due to asymmetricroutes.

Nmap can also learn from the system interface and routing tables when the hop distance is zero (localhost scan) or one (on the same network segment). This value is used when Nmap prints the hop distance for the user, but it is not used for T result computation.

It is not uncommon for Nmap to receive no response to theU1 probe, which prevents Nmap from learning how manyhops away a target is. Firewalls and NAT devices love to block unsolicited UDP packets. But since common TTL values are spread wellapart and targets are rarely more than 20 hops away, Nmap can make apretty good guess anyway. Most systems send packets with an initial TTL of 32, 60, 64,128, or 255. So the TTL value received in the response is rounded upto the next value out of 32, 64, 128, or 255. 60 is not in that listbecause it cannot be reliably distinguished from 64. It is rarely seenanyway. The resulting guess is stored in theTG field. This TTL guess field is not printed in asubject fingerprint if the actual TTL (T) valuewas discovered.

This test is only used for the ECN probe. That probe is a SYN packetwhich includes the CWR and ECE congestion control flags. When the response SYN/ACK is received, those flags are examined to set the CC (congestion control) test value as described in Table 8.3.

Table 8.3. CC test values

ValueDescription
YOnly the ECE bit is set (not CWR). This host supports ECN.
NNeither of these two bits is set. The target does not support ECN.
SBoth bits are set. The target does not support ECN, but it echoes back what it thinks is a reserved bit.
OThe one remaining combination of these two bits (other).

This tests for two quirks that a few implementations havein their TCP stack. The first is that the reserved field in the TCPheader (right after the header length) is nonzero. This isparticularly likely to happen in response to the ECNtest as that one sets a reserved bit in the probe. If this is seen in apacket, an 'R' is recorded in the Q string.

The other quirk Nmap tests for is a nonzero urgent pointer fieldvalue when the URG flag is not set. This is also particularly likelyto be seen in response to the ECN probe, which sets anon-zero urgent field. A 'U' is appended to the Qstring when this is seen.

The Q string must always be generated in alphabetical order.If no quirks are present, the Q test is empty but stillshown.

This test examines the 32-bit sequence number field in the TCPheader. Rather than record the field value as some other tests do,this one examines how it compares to the TCP acknowledgment numberfrom the probe that elicited the response. It then records theappropriate value as shown in Table 8.4.

Table 8.4. S test values

ValueDescription
ZSequence number is zero.
ASequence number is the same as the acknowledgment number in the probe.
A+Sequence number is the same as the acknowledgment number in the probe plus one.
OSequence number is something else (other).

This test is the same as S except that it tests how the acknowledgment number in the response compares to the sequence number in the respective probe. The four possible values are given in Table 8.5.

Table 8.5. A test values

ValueDescription
ZAcknowledgment number is zero.
SAcknowledgment number is the same as the sequence number in the probe.
S+Acknowledgment number is the same as the sequence number in the probe plus one.
OAcknowledgment number is something else (other).

This field records the TCP flags in the response. Each letter representsone flag, and they occur in the same order as in a TCP packet (from high-bit on the left, to the low ones). So the value AS represents the ACK and SYN bits set, while the value SA is illegal (wrong order). The possible flags are shown in Table 8.6.

Table 8.6. F test values

CharacterFlag nameFlag byte value
EECN Echo (ECE)64
UUrgent Data (URG)32
AAcknowledgment (ACK)16
PPush (PSH)8
RReset (RST)4
SSynchronize (SYN)2
FFinal (FIN)1

Some operating systems return ASCII data such as error messages inreset packets. This is explicitly allowed by section 4.2.2.12 ofRFC 1122. When Nmapencounters such data, it performs a CRC32 checksum and reports theresults. When there is no data, RD is set to zero.Some of the few operating systems that may return data in their resetpackets are HP-UX and versions of Mac OS prior to Mac OS X.

This test records the total length (in octets) of an IP packet.It is only used for the port unreachable response elicited by theU1 test. That length varies by implementationbecause they are allowed to choose how much data from the originalprobe to include, as long as they meet the minimum RFC 1122 requirement.That requirement is to include the original IP header and at least eightbytes of data.

An ICMP port unreachable message header is eight bytes long, but only the first four are used. RFC 792 states that the last four bytes must be zero. A few implementations (mostly ethernet switches and some specialized embedded devices) set it anyway. The value of those last four bytes is recorded in this field.

ICMP port unreachable messages (as are sent in response to theU1 probe) are required to include the IP headerwhich generated them. This header should be returned just as theyreceived it, but some implementations send back a corrupted versiondue to changes they made during IP processing. This test simplyrecords the returned IP total length value. If the correctvalue of 0x148 (328) is returned, the value G (for good) is stored instead of the actual value.

The U1 probe has a static IP ID value of0x1042. If that value is returned in the port unreachable message,the value G is stored for this test. Otherwise theexact value returned is stored. Some systems, such as Solaris,manipulate IP ID values for raw IP packets that Nmap sends. In suchcases, this test isskipped. We have found that some systems,particularly HP and Xerox printers, flip the bytes and return 0x4210instead.

Integrity of returned probe IP checksum value (RIPCK)

The IP checksum is one value that we don'texpect to remain the same when returned in a port unreachable message.After all, each network hop during transit changes the checksum as the TTLis decremented. However, the checksum we receive should match theenclosing IP packet. If it does, the value G(good) is stored for this test. If the returned value is zero, then Z is stored. Otherwise the result is I(invalid).

The UDP header checksum value should be returned exactly as it was sent. If it is, G is recorded for this test. Otherwise the value actually returned is recorded.

This test checks the integrity of the (possibly truncated)returned UDP payload. If all the payload bytes are the expected‘C' (0x43), or if the payload was truncated to zero length,G is recorded; otherwise, I(invalid) is recorded.

The code value of an ICMP echo reply (type zero) packet issupposed to be zero. But some implementations wrongly send othervalues, particularly if the echo request has a nonzero code (as one ofthe IE tests does). The response code values for thetwo probes are combined into a CD value asdescribed in Table 8.7.

Table 8.7. CD test values

ValueDescription
ZBoth code values are zero.
SBoth code values are the same as in the corresponding probe.
When they both use the same non-zero number, it is shown here.
OAny other combination.

February 02, 2021Andrew Miller

Nowadays people are used to expressing themself via pictures and videos. Compared to taking notes, taking a screenshot or recording a video is more efficient. Can I take a screenshot on Mac? Is there a Snipping Tool also available on Mac? Well, the answer is definitely Yes.

Snipping tools are not limited in Windows operating system, but works well on macOS and other operating platforms. This post will share the top 5 Snipping Tool Alternatives for Mac. You can use them as convenient as on Windows computer.

  • Top 1. Best Snipping Tool for Mac
  • Top 2. Default Snipping Toolc
  • Top 3. Grab for Mac
  • Top 4. Skitch for Mac
  • Top 5. Jing for Mac
  • Top 6. Snagit for Mac
  • FAQs of Snipping Tool for Mac

Top 1. Best Snipping Tool for Mac

Aiseesoft Mac Screen Recorder is the best Mac Snipping Tool that enables you to record screen and take screenshot with keyboard shortcuts on your Mac. Besides acting as a snipping tool, it also works as a good video game recorder, Skype call recorder, YouTube video recorder, audio recorder, webcam recorder, etc. After screenshot, you can edit the pictures like adding text, arrow, color paints, etc.

  • Professional snipping tool to capture pictures from Mac screen with keyboard shortcut.
  • Equipped with key editing functions to make a screenshot and add text as you want.
  • Save the screenshot as PNG, JPEG, BMP, GIF, TIFF, etc. according to your need.
  • Record online videos/audio from YouTube, Facebook, Vimeo, DailyMotion, TED, etc.

Step 1 Click the download button above to free download and install the Snipping Tool on your Mac. Open it and then choose the Screen Capture option.

Step 2 Then you can select the screenshot area to take a screenshot on Mac. This snipping tool for Mac also supports keyboard shortcuts.

Step 3 After capturing, you can add different labels the screenshot. Then click Save button to save the snapshot on your Mac.

Top 2. Default Snipping Tool

Apple did offer snipping tool with keyboard shortcuts. You can capture the entire screen, a window or a portion of screen. Follow the tips to take screenshot on Mac with keyboard shortcuts.

To take a screenshot, you need to hold Shift + Command + 3 at the same time. Then click on the thumbnail of the screen, edit or save the screenshot to Mac.

To capture a portion of your screen, just press and hold Shift + Command + 4 together. Then drag the crosshair to select the screen you want to capture. Release the mouse to save the screenshot.

To capture a window, press and hold Shift + Command + 4 + Space bar until you see the camera icon. Then click the window to take a keyboard screenshot.

With the built-in snipping tool, all the screenshots will be saved as PNG file on your Mac desktop. You can also change the default location of screenshots in macOS Mojave or later.

Top 3. Grab for Mac

Grab is the default snipping tool for Mac. This free utility lets you capture the entire computer screen, a single window, or a selection of the screen. To use this free tool, you can open Applications, select Utilities and choose Grab. You can save the screenshots in JPEG, PNG, TIFF. (What if screenshot cannot be saved on Mac?)

Pros:

It is easy to capture active windows on Mac.

Capture a timed windows on your Mac.

This snipping tool for Mac gives support for keyboard shortcut.

Cons:

It only works on macOS High Sierra.

No editing features in this snipping tool.

Top 4. Skitch for Mac

Skitch for Mac is a lightweight snipping tool for capturing, editing and sharing screenshots. You can take a full screen capture, select one window or a portion of a window. You can use the useful keyboard shortcuts to capture Crosshair snapshot, Fullscreen snapshot, Window snapshot or Camera snapshot easily. All the Skitch images are saved in PNG, JPG, GIF, TIFF and BMP formats. This free utility makes it simple to annotate, resize images, add shapes, lines, arrows and watermark.

Pros:

The Timed Screen Snap option lets you take a timed screenshot.

Provide editing and markup tools to edit the screenshot on Mac.

Users can add annotation, watermark and resize the screenshot. (Want to resize JPG?)

Cons:

The interface is not intuitive and convenient to use.

Nip Nop Mac Os X

Can't share to Evernote or record video.

Top 5. Jing for Mac

Jing for Mac is a lightweight snipping tool that allows users to take screenshot, record screencast and share them to Facebook. With the easy-to-use and fantastic interface, Jing lets you record or snap a specific part of your screen and add text, colors and small graphics. Every action will be recorded to the history list. Once the screenshot has been taken, it will save the it as a PNG image. (Want to crop screenshot on Mac?)

Pros:

It is easy for a new user to take a screenshot on Mac.

Jing is free up to 2GB of online storage space.

Cons:

There are 5 minutes' limit if you want to record longer video.

The only output video format captured by Jing is SWF format. (Find ways to convert SWF to MP4)

Top 6. Snagit for Mac

Snagit for Mac is a comprehensive snipping tool that lets you capture screenshots and videos anytime you want. It is equipped with a handful of editing tools to shape and enhance screenshots. Snagit is devoted to benefit anyone with the powerful functions no matter he is a journalist, gamer or presenter. After clipping an image, there multiple format choices to choose from JPG, GIF, BMP, PDF, PSD, and others.

Pros:

Users can adjust the color, highlight, add watermark or blurs after snipping.

After capturing, you can upload it to YouTube, Facebook or Twitter.

You can use a single hotkey/keyboard shortcut or a click to get a quick screenshot.

Cons:

It doesn't support webcam recording or audio recording. (Find best webcam recorder here)

The video recording function lags than other software.

To get updates for a new version, users are required to purchase it again.

FAQs of Snipping Tool for Mac

How do I access the Snipping Tool?

To open Snipping Tool on Windows 10, you can click Start button, search Snipping Tool and select it in the search results.

How do you cut a picture on Mac?

With the built-in editing tools in Photos, you can edit your photos on Mac like a pro. Open your picture and drag the selection rectangle by its edges or corners.

How do you blur a picture in Snipping Tool?

You can use the Smooth filter or the Pixelate feature in Snagit to blur photos. Set the smooth filter with 25% intensity, and draw a box around the area of the picture you want to blur out.

Conclusion

We mainly introduced the top 5 Snipping Tool alternative for Mac. Snipping Tool is not only limited in Windows operating system but works well on macOS. Start taking screenshot with the Snipping Tool you desire. Aiseesoft Mac Screen Recorder is the best Snipping Tool with keyboard shortcuts that enables you to snip a screenshot, capture videos and audio on Mac without hassle.

What do you think of this post?

Excellent

Nip Nop Mac Os Catalina

Rating: 4.9 / 5 (based on 69 votes)Follow Us on

Nip Nop Mac Os Catalina

  • What You Can Do to Fix Screenshot on Mac not Working Problem

    Here're 5 powerful solutions to fix screenshot on Mac not working. You can also get 2 screenshot alternative to screen capture on Mac for free. Just read and check.

  • Three Methods to Take Screenshots on Mac

    Want to capture the impressive moments on your Mac screen? Here is an introduction about the best snipping tools for Mac and how to use them.

  • How to Make A Screen Recording on Mac/iMac/MacBook/MacBook Pro/MacBook Air

    Want to capture and record your screen with sound on your Mac? This article will show you 4 solutions to do screen recordings on Mac.





broken image