Re: OS fingerprint extraction quality when scanning a large number of machines

[David Fifield <david () bamsoftware com>]

On Thu, Dec 18, 2008 at 09:10:46PM +0000, Brandon Enright wrote:
> On Thu, 18 Dec 2008 17:16:29 -0000 (UTC)
> "Rob Nicholls" <robert () everythingeverything co uk> wrote:
> > > Thanks for your testing. A couple of hosts out of 127 is not so bad
> > > considering what we had been seeing: only one out of 20 or 30 hosts
> > > returning useful results.
> >
> > I'm afraid there were only 7 live hosts in that range, one of which
> > was mine, so I typically saw 4 "good" and 2 "bad" fingerprints. I
> > probably won't get a chance to do more testing until sometime
> > tomorrow, but will try it using 4.76, r11420 and r11421 to see if
> > there are any differences between them. The tests appeared to be
> > quite repeatable, and I didn't notice much of a difference when I ran
> > one using 4.76. I'll also try a few tweaks to the commandline options
> > to see what differences that makes.
> >
> > Rob
>
> I tried to reproduce this behavior with Nmap 4.76 against a /22 (270
> hosts detected with -PS option below) using these two commands:
>
> nmap -O -vv -d -n -F -P S22,23,135,139,445,3389 -T5 --min-hostgroup 1024 <network>/22 -oA os_group_scan
>
> nmap -O -vv -d -n -F -P S22,23,135,139,445,3389 -T5 --max-hostgroup 1 <network>/22 -oA os_single_scan
>
> I compared the results by hand and found *no* responsiveness
> differences in the OS fingerprinting.

Was the scanning machine running Windows? This appears to affect only
Windows.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org