Nmap Development mailing list archives
Re: OS fingerprint extraction quality when scanning a large number of machines
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Thu, 18 Dec 2008 11:06:11 -0000 (UTC)
I gave this a try from a Vista host using r11421. My original command was:
nmap xxx.xxx.xx.1-127 -P0 -O -vv
The last couple of hosts had open (and one also had closed) ports but had fingerprinting problems, returning: T1(R=N) T2(R=N) T3(R=N) T4(R=N) T5(R=N) T6(R=N) T7(R=N) U1(R=N) IE(R=N) Here's the result of the last host from the scan of the range: Host xxx.xxx.xx.xx appears to be up ... good. Scanned at 2008-12-18 10:47:00 GMT Standard Time for 20s Interesting ports on xxx.xxx.xx.xx: Not shown: 997 filtered ports PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-term-serv MAC Address: 00:01:02:06:25:17 (3com) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host TCP/IP fingerprint: SCAN(V=4.76%D=12/18%OT=139%CT=%CU=%PV=N%DS=1%G=N%M=000102%TM=494A2A38%P=i686-pc-windows-windows) ECN(R=N) T1(R=N) T2(R=N) T3(R=N) T4(R=N) U1(R=N) IE(R=N) Network Distance: 1 hop Read data files from: C:\tools\win32\nmap-4.76-11421 OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 127 IP addresses (6 hosts up) scanned in 38.74 seconds Raw packets sent: 8781 (410.268KB) | Rcvd: 2251 (93.081KB) That host by itself returned an accurate fingerprint: C:\tools\win32\nmap-4.76-11421>nmap xxx.xxx.xx.xx -P0 -O -vv Starting Nmap 4.76 ( http://nmap.org ) at 2008-12-18 10:50 GMT Standard Time Initiating ARP Ping Scan at 10:50 Scanning xxx.xxx.xx.xx [1 port] Completed ARP Ping Scan at 10:50, 0.27s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 10:50 Completed Parallel DNS resolution of 1 host. at 10:50, 0.01s elapsed Initiating SYN Stealth Scan at 10:50 Scanning xxx.xxx.xx.xx [1000 ports] Discovered open port 3389/tcp on xxx.xxx.xx.xx Discovered open port 445/tcp on xxx.xxx.xx.xx Discovered open port 139/tcp on xxx.xxx.xx.xx Completed SYN Stealth Scan at 10:50, 4.38s elapsed (1000 total ports) Initiating OS detection (try #1) against xxx.xxx.xx.xx Host xxx.xxx.xx.xx appears to be up ... good. Scanned at 2008-12-18 10:50:05 GMT Standard Time for 6s Interesting ports on xxx.xxx.xx.xx: Not shown: 997 filtered ports PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-term-serv MAC Address: 00:01:02:06:25:17 (3com) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows Server 2003 SP1 or SP2, Microsoft Windows Server 2003 SP2 TCP/IP fingerprint: OS:SCAN(V=4.76%D=12/18%OT=139%CT=%CU=%PV=N%DS=1%G=Y%M=000102%TM=494A2AE4%P= OS:i686-pc-windows-windows)SEQ(SP=107%GCD=1%ISR=10C%TI=I%II=I%SS=S%TS=0)OPS OS:(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NN OS:S%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)WIN(W1=4000%W2=4000%W3=4000%W4=4000 OS:%W5=4000%W6=4000)ECN(R=Y%DF=N%TG=80%W=4000%O=M5B4NW0NNS%CC=N%Q=)T1(R=Y%D OS:F=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%TG=80%W=0%S=A% OS:A=O%F=R%O=%RD=0%Q=)U1(R=N)IE(R=Y%DFI=S%TG=80%TOSI=Z%CD=Z%SI=S%DLI=S) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: Incremental Read data files from: C:\tools\win32\nmap-4.76-11421 OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.58 seconds Raw packets sent: 2035 (91.344KB) | Rcvd: 22 (1320B) And again, but against the Linux host: Host xxx.xxx.xx.xx appears to be up ... good. Scanned at 2008-12-18 10:55:37 GMT Standard Time for 23s Interesting ports on xxx.xxx.xx.xx: Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 5906/tcp open unknown 6001/tcp open X11:1 6002/tcp open X11:2 6003/tcp open X11:3 6004/tcp open X11:4 6005/tcp open X11:5 6006/tcp open X11:6 MAC Address: 00:07:E9:25:22:14 (Intel) OS fingerprint not ideal because: Didn't receive UDP response. Please try againwith -sSU No OS matches for host TCP/IP fingerprint: SCAN(V=4.76%D=12/18%OT=22%CT=1%CU=%PV=N%DS=1%G=N%M=0007E9%TM=494A2C41%P=i686-pc-windows-windows) ECN(R=N) T1(R=N) T2(R=N) T3(R=N) T4(R=N) T5(R=N) T6(R=N) T7(R=N) U1(R=N) IE(R=N) By itself, I get an accurate fingerprint and additional information: Interesting ports on xxx.xxx.xx.xx: Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 5906/tcp open unknown 6001/tcp open X11:1 6002/tcp open X11:2 6003/tcp open X11:3 6004/tcp open X11:4 6005/tcp open X11:5 6006/tcp open X11:6 MAC Address: 00:07:E9:25:22:14 (Intel) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.23 TCP/IP fingerprint: OS:SCAN(V=4.76%D=12/18%OT=22%CT=1%CU=36301%PV=N%DS=1%G=N%M=0007E9%TM=494A2C OS:D7%P=i686-pc-windows-windows)SEQ(SP=C9%GCD=1%ISR=CD%TI=Z%II=I%TS=A)OPS(O OS:1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11N OS:W7%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R OS:=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS% OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0% OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z% OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y% OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=C0%IPL=164%U OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(R=Y%DFI=N%T=40%TOSI=S%CD= OS:S%SI=S%DLI=S) Uptime guess: 13.447 days (since Fri Dec 05 00:14:40 2008) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=201 (Good luck!) IP ID Sequence Generation: All zeros It looks like something's still not quite right :( Rob
On Wed, Dec 17, 2008 at 09:37:18PM -0700, David Fifield wrote:
I found and fixed an OS scan bug in r11421. An implementation error disabled global congestion control, leading to large bursts of outstanding probes. With the fix Nmap will not send so many at once. Unfortunately, as I said I can't reproduce the problem so I don't know if this fixes it specifically. If you have been compiling from source please try r11421. Anyone else who has experienced this problem, we could use your help.
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)