IPv6 fingerprinting

Nmap has a similar but separate OS detection engine specialized for IPv6. At a high level, the technique is the same: send probes, collect responses, and match the set of responses against a database. The differences are in the specific probes used, and in the way they are matched.

IPv6 OS detection is used just like IPv4. Just use the -6 and -O options together. For example, nmap -6 -O <target>.

Probes Sent

IPv6 OS detection uses many of the same probes that IPv4 OS detection does. Most of the power to distinguish operating systems comes from higher-layer protocols like TCP, though there are a few new IPv6-specific detection features.

In all cases, the IPv6 flow label is 0x12345, on platforms that allow us to set it. On platforms that do not (which includes non-Linux Unix platforms when not using Ethernet to send), the flow label will be 0. Because this can affect the responses, the value of the flow label is recorded in the EXTRA field of OS fingerprints. Except for the NS probe, hop limits are set randomly.

In all, up to 18 probes may be sent. They are sent in the following order.

Sequence generation (`S1`–`S6`)

These are the same six probes as the T1 collection of probes sent in IPv4 detection. See the section called “Sequence generation (SEQ, OPS, WIN, and T1)” for documentation of the packet contents. These six probes are sent 100 ms apart for timing measurements.

The S1–S6 probes are skipped if the target lacks an open port.

ICMPv6 echo (`IE1`)

This is more or less an ordinary ICMPv6 echo request. The type is 128 (Echo Request) and the code is 9, though it should be 0. The ICMPv6 ID is 0xabcd and the sequence number is 0. The data payload is 120 zero bytes. There is one Hop-By-Hop extension header containing only padding.

ICMPv6 echo (`IE2`)

This is an echo request with a type of 128 (Echo Request) and a code of 0. The ICMPv6 ID is 0xabcd and the sequence is 1. There is no data payload.

What makes this probe interesting are the erroneous extension headers it includes. There are four of them in all, in this order:

Hop-By-Hop

Destination Options

Routing

Hop-By-Hop

These headers are erroneous: no header other than Destination Options is supposed to appear more than once, and Hop-by-hop options are only supposed to appear in the first position. In our tests, no operating systems treat this as a legitimate echo request. They do, however, respond with different ICMPv6 errors.

Node Information Query (`NI`)

RFC 4620 defines ICMPv6 messages called Node Information Queries that allow asking a target for its hostnames, IPv4 addresses, and IPv6 addresses. The NI probe has type 139 (ICMP Node Information Query) and code 0 (indicating that the subject is an IPv6 address). The qtype is 4 (IPv4 Addresses). The A flag (return all unicast addresses) flag is set, and no others. The nonce is set to the fixed string "\x01\x02\x03\x04\x05\x06\x07\x0a".

Despite being asked for IPv4 addresses, some operating systems return a DNS name instead.

Neighbor Solicitation (`NS`)

The NS probe sends a Neighbor Solicitation query, as if asking for the target's hardware address. The type is 135 and the code is 0. The hop limit is always set to 255, no matter the setting of --ttl; RFC 2461 forbids hosts to reply otherwise. All flags are set to 0.

This probe is only sent to hosts on the same subnet.

UDP (`U1`)

A UDP packet is sent to a a closed port, if available. The data payload is set to 300 'C' (0x43) bytes. This probe is designed to elicit an ICMPv6 Port Unreachable message.

TCP explicit congestion notification (`TECN`)

This is the same as the ECN probe from IPv4. It is a SYN packet to an open port, that also has the ECE and CWR flags set. The urgent field value of 0xF7F5 is used even though the urgent flag is not set. The acknowledgment number is zero, sequence number is random, and the window size field is three. TCP options are WScale (10), NOP, MSS (1460), SACK permitted, NOP, NOP.

TCP (`T2`–`T7`)

These correspond to the T2–T7 probes from IPv4 detection, described in the section called “TCP (T2–T7)”. The numbering starts at 2 rather than 1 because the six sequencing probes are collectively known as “T1” in IPv4 (they were renamed to S1–S6 for IPv6).

Feature extraction

After responses are received, various pieces of data are extracted from them. In machine learning literature these pieces of data are known as “features”. Examples of features are: IPv6 hop limit, ICMPv6 type and code, and code of first TCP option. (In Nmap's terminology, these are known as IPV6_HOPLIMIT, ICMPV6_TYPE, and TCP_OPT_0 respectively.) Some features are simply extracted directly from response packets, and some are the result of doing a calculation over several packets (like TCP_ISR, the TCP initial sequence number counter rate).

Any features whose value cannot be determined (for example, features from a response that was never received) are set to −1. The features are put in a big one-dimensional feature vector. Then each is scaled and translated to put it approximately into the range [0, 1], using scale parameters estimated from our training data.

List of all features

TCP_ISR: TCP ISN counter rate. This is derived from the S1–S6 sequence probes, which are sent 100 ms apart. The differences between consecutive sequence responses are added up, then this sum is divided by the time elapsed between the first and last probe.

The following features are repeated for each response, so for example a fully qualified feature name might be S1.PLEN.

PLEN: IPv6 Payload Length field
TC: IPv6 Traffic Class field
HLIM: A guess at the original value of the IPv6 Hop Limit field

The following features are repeated for each TCP response. A full feature name might be T2.TCP_WINDOW.

TCP_WINDOW: TCP window size
TCP_FLAG_F, TCP_FLAG_S, TCP_FLAG_R, TCP_FLAG_P, TCP_FLAG_A, TCP_FLAG_U, TCP_FLAG_E, TCP_FLAG_C: TCP flags. Each flag becomes a feature with the value 0 or 1.
TCP_FLAG_RES8, TCP_FLAG_RES9, TCP_FLAG_RES10, TCP_FLAG_RES11: These are the four bits of the reserved part of the TCP header. RFC 3540 defines TCP_FLAG_RES8 as the nonce sum (NS) bit.
TCP_OPT_0, <...>, TCP_OPT_16: Type codes for the first 16 TCP options.
TCP_OPTLEN_0, <...>, TCP_OPTLEN_16: Lengths of the first 16 TCP options.
TCP_MSS: Value of the first MSS option, if present.
TCP_SACKOK: 1 if the SACK-permitted option is present, 0 otherwise.
TCP_WSCALE: Value of the first Window Scale option, if present.

Differences from IPv4

IPv6 fingerprints look somewhat different from IPv4 fingerprints. Instead of a broken-down list of packet features, they consist of a hex dump of packet contents along with send and receive times. See the section called “Understanding an Nmap Fingerprint” for details.

The IPv6 matching algorithm is quite different. It uses a machine learning algorithm called logistic regression rather than simple comparison against a list of fingerprints. the section called “IPv6 matching” has a description of the algorithm.