|
|
|
|
|
Nmap Examination of Various Operating Systems |
|
Join the community - in the OCAU Forums!
|
page one
The purpose of this short comparison is to perform some sort of evaluation of the quality of the TCP/IP stack which is implemented differently in various Operating Systems. I wanted to keep the test as independent of hardware and build methodology as possible, and to avoid making purely subjective evaluations on the quality of these Operating Systems. I am not out to discover which OS is faster, more usable or better for anyone's particular needs.
Method:
I did a fresh install of several Operating Systems that I have on hand, ranging from older versions (which are still in use) to some of the latest versions available today. I installed them on some spare hardware I have lying around, installed TCP/IP on all of them, and connected them to my LAN. I then ran a simple scan against each build from my main Slackware machine five(5) times in order to calculate some sort of workable average. I used nmap, a "Network exploration tool and security scanner". It is extremely capable software and I encourage everyone to check it out. I used nmap version 3.50 compiled from source. Note that the OS scan I am using is not the limit of nmap's capabilities. It has many other features. I also managed to use the same network adaptor for each "target" build (PCI Realtek 8139C).
Quoting from the man page of nmap:
"Nmap is designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering."
The actual scan I performed on each build was:
nmap -O [host] -vv
Quoting again from the man page:
"Another test enabled by -O is TCP Sequence Pre-dictability Classification. This is a measure that describes approximately how hard it is to establish a forged TCP connection against the remote host. This is useful for exploiting source-IP based trust relationships (rlogin, firewall filters, etc) or for hiding the source of an attack. The actual difficulty number is based on statistical sampling and may fluctuate. It is generally better to use the English classification such as "worthy challenge" or "trivial joke". This is only reported in normal output with -v. When verbose mode (-v) is on with -O, IPID Sequence Generation is also reported. Most machines are in the "incremental" class, which means that they increment the "ID" field in the IP header for each packet they send. This makes them vulnerable to several advanced information gathering and spoofing attacks."
So, among other things, the crux of the test will show "approximately how hard it is to establish a forged TCP connection against the remote host" across several different Operating Systems.
Note that the OS scan in nmap is much less reliable if it does not find at least one open TCP port and one closed TCP port. I made sure each build had ports open and ports closed to keep the OS detection and scanning as reliable as possible.
I mention the release or version of the Operating System, the kernel or build number, and leave most of the rest of it to nmap. I ran the OS detection scan 5 times, and extracted an average 'difficulty' number from that, and then showed the "English classification" which is a more logical representation of the 'difficulty' number. Plus there's a quick table at the end showing the 'difficulty' values.
Alright, enough of that, let's dive in to the numbers, shall we?
Slackware-current (Self-built 2.6.6)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7
TCP Sequence Prediction:
Class=random positive increments
IPID Sequence Generation: All zeros
Average 'difficulty' over 5 scans - 2595171.4
On this build, I got 'Good luck!' on every scan.
Debian 3.0r1 (2.2.20)
Device type: general purpose
Running: Linux 2.1.X|2.2.X
OS details: Linux 2.1.19 - 2.2.25
TCP Sequence Prediction:
Class=random positive increments
IPID Sequence Generation: Incremental
Average 'difficulty' over 5 scans - 2344654.6
On this build, I got 'Good luck!' on every scan.
Slackware-current (Default 2.4.23)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
TCP Sequence Prediction:
Class=random positive increments
IPID Sequence Generation: All zeros
Average 'difficulty' over 5 scans - 3319083.8
On this build, I got 'Good luck!' on every scan.
Red Hat 7.3 (Default 2.4.18-3)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
TCP Sequence Prediction:
Class=random positive increments
IPID Sequence Generation: All zeros
Average 'difficulty' over 5 scans - 3591128.2
On this build, I got 'Good luck!' on every scan.
Knoppix 3.3 (2.4.24)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
TCP Sequence Prediction:
Class=random positive increments
IPID Sequence Generation: All zeros
Average 'difficulty' over 5 scans - 3909828.4
On this build, I got 'Good luck!' on every scan.
Smoothwall Express 2.0 (2.4.22)
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
TCP Sequence Prediction:
Class=random positive increments
IPID Sequence Generation: All zeros
Average 'difficulty' over 5 scans - 3098028
On this build, I got 'Good luck!' on every scan.
OpenBSD 3.3 (GENERIC#44)
Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.0 or 3.3
TCP Sequence Prediction:
Class=truly random
IPID Sequence Generation: Randomized
Average 'difficulty' over 5 scans - 9999999
On this build, I got 'Good luck!' on every scan.
FreeBSD 5.1-RELEASE (GENERIC)
Device type: general purpose
Running: FreeBSD 4.X|5.X
OS details: FreeBSD 4.3 - 4.4PRERELEASE, FreeBSD 4.9 - 5.1
TCP Sequence Prediction:
Class=truly random
IPID Sequence Generation: Incremental
Average 'difficulty' over 5 scans - 9999999
On this build, I got 'Good luck!' on every scan.
Windows 98 (Version 4.10.2222)
Device type: media device|general purpose
Running: Turtle Beach embedded, Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Turtle Beach AudioTron 100 network MP3 player, Microsoft Windows NT 3.51 SP5, NT 4.0 or 95/98/98SE
TCP Sequence Prediction:
Class=trivial time dependency
IPID Sequence Generation: Broken little-endian incremental
Average 'difficulty' over 5 scans - 0.8
On this build, I got 'Trivial joke' on every scan.
On one scan, I even got a zero 'difficulty' rating!
Windows XP (NT 5.1) SP1
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP, Microsoft Windows 2000 SP3
TCP Sequence Prediction:
Class=random positive increments
IPID Sequence Generation: Incremental
Average 'difficulty' over 5 scans - 46457
On this build, I got 'Worthy challenge' three times, and 'Formidable' twice.
Summary:
Take what you like out of this comparison, I just thought it would be interesting, and decided to share the results. If nothing else, my hard-disks got a good workout.
Unfortunately I didn't have access to WinXP SP2 at the time of writing, or any server versions of Windows. I've created a thread in OCAU's Networking and Internet Forum here, in which people can add and compare the results of scanning their own systems with nmap.
Cheers,
Scott Radvan
|
|
Advertisement:
All original content copyright James Rolfe.
All rights reserved. No reproduction allowed without written permission.
Interested in advertising on OCAU? Contact us for info.
|
|
