Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OS fingerprint extraction quality when scanning a large number of machines

From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Thu, 18 Dec 2008 11:06:11 -0000 (UTC)
I gave this a try from a Vista host using r11421. My original command was:


nmap xxx.xxx.xx.1-127 -P0 -O -vv


The last couple of hosts had open (and one also had closed) ports but had
fingerprinting problems, returning:

T1(R=N)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=N)
T6(R=N)
T7(R=N)
U1(R=N)
IE(R=N)

Here's the result of the last host from the scan of the range:

Host xxx.xxx.xx.xx appears to be up ... good.
Scanned at 2008-12-18 10:47:00 GMT Standard Time for 20s
Interesting ports on xxx.xxx.xx.xx:
Not shown: 997 filtered ports
PORT     STATE SERVICE
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 00:01:02:06:25:17 (3com)
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results
incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=4.76%D=12/18%OT=139%CT=%CU=%PV=N%DS=1%G=N%M=000102%TM=494A2A38%P=i686-pc-windows-windows)
ECN(R=N)
T1(R=N)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=N)

Network Distance: 1 hop

Read data files from: C:\tools\win32\nmap-4.76-11421
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 127 IP addresses (6 hosts up) scanned in 38.74 seconds
           Raw packets sent: 8781 (410.268KB) | Rcvd: 2251 (93.081KB)

That host by itself returned an accurate fingerprint:

C:\tools\win32\nmap-4.76-11421>nmap xxx.xxx.xx.xx -P0 -O -vv

Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-18 10:50 GMT Standard Time
Initiating ARP Ping Scan at 10:50
Scanning xxx.xxx.xx.xx [1 port]
Completed ARP Ping Scan at 10:50, 0.27s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:50
Completed Parallel DNS resolution of 1 host. at 10:50, 0.01s elapsed
Initiating SYN Stealth Scan at 10:50
Scanning xxx.xxx.xx.xx [1000 ports]
Discovered open port 3389/tcp on xxx.xxx.xx.xx
Discovered open port 445/tcp on xxx.xxx.xx.xx
Discovered open port 139/tcp on xxx.xxx.xx.xx
Completed SYN Stealth Scan at 10:50, 4.38s elapsed (1000 total ports)
Initiating OS detection (try #1) against xxx.xxx.xx.xx
Host xxx.xxx.xx.xx appears to be up ... good.
Scanned at 2008-12-18 10:50:05 GMT Standard Time for 6s
Interesting ports on xxx.xxx.xx.xx:
Not shown: 997 filtered ports
PORT     STATE SERVICE
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv
MAC Address: 00:01:02:06:25:17 (3com)
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2, Microsoft Windows
Server 2003 SP2
TCP/IP fingerprint:
OS:SCAN(V=4.76%D=12/18%OT=139%CT=%CU=%PV=N%DS=1%G=Y%M=000102%TM=494A2AE4%P=
OS:i686-pc-windows-windows)SEQ(SP=107%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=0)OPS
OS:(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NN
OS:S%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4=4000
OS:%W5=4000%W6=4000)ECN(R=Y%DF=N%TG=80%W=4000%O=M5B4NW0NNS%CC=N%Q=)T1(R=Y%D
OS:F=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%TG=80%W=0%S=A%
OS:A=O%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=S%TG=80%TOSI=Z%CD=Z%SI=S%DLI=S)

Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental

Read data files from: C:\tools\win32\nmap-4.76-11421
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds
           Raw packets sent: 2035 (91.344KB) | Rcvd: 22 (1320B)


And again, but against the Linux host:

Host xxx.xxx.xx.xx appears to be up ... good.
Scanned at 2008-12-18 10:55:37 GMT Standard Time for 23s
Interesting ports on xxx.xxx.xx.xx:
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
5906/tcp open  unknown
6001/tcp open  X11:1
6002/tcp open  X11:2
6003/tcp open  X11:3
6004/tcp open  X11:4
6005/tcp open  X11:5
6006/tcp open  X11:6
MAC Address: 00:07:E9:25:22:14 (Intel)
OS fingerprint not ideal because: Didn't receive UDP response. Please try
againwith -sSU
No OS matches for host
TCP/IP fingerprint:
SCAN(V=4.76%D=12/18%OT=22%CT=1%CU=%PV=N%DS=1%G=N%M=0007E9%TM=494A2C41%P=i686-pc-windows-windows)
ECN(R=N)
T1(R=N)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=N)
T6(R=N)
T7(R=N)
U1(R=N)
IE(R=N)

By itself, I get an accurate fingerprint and additional information:

Interesting ports on xxx.xxx.xx.xx:
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
5906/tcp open  unknown
6001/tcp open  X11:1
6002/tcp open  X11:2
6003/tcp open  X11:3
6004/tcp open  X11:4
6005/tcp open  X11:5
6006/tcp open  X11:6
MAC Address: 00:07:E9:25:22:14 (Intel)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.23
TCP/IP fingerprint:
OS:SCAN(V=4.76%D=12/18%OT=22%CT=1%CU=36301%PV=N%DS=1%G=N%M=0007E9%TM=494A2C
OS:D7%P=i686-pc-windows-windows)SEQ(SP=C9%GCD=1%ISR=CD%TI=Z%II=I%TS=A)OPS(O
OS:1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11N
OS:W7%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=N%T=40%TOSI=S%CD=
OS:S%SI=S%DLI=S)

Uptime guess: 13.447 days (since Fri Dec 05 00:14:40 2008)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=201 (Good luck!)
IP ID Sequence Generation: All zeros


It looks like something's still not quite right :(


Rob


On Wed, Dec 17, 2008 at 09:37:18PM -0700, David Fifield wrote:



I found and fixed an OS scan bug in r11421. An implementation error
disabled global congestion control, leading to large bursts of
outstanding probes. With the fix Nmap will not send so many at once.

Unfortunately, as I said I can't reproduce the problem so I don't know
if this fixes it specifically. If you have been compiling from source
please try r11421. Anyone else who has experienced this problem, we
could use your help.



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: