Nmap Development mailing list archives

Re: OS fingerprint extraction quality when scanning a large number of machines

From: Michael Head <mrhead () us ibm com>
Date: Thu, 18 Dec 2008 16:53:47 -0500

David Fifield wrote on 12/18/2008 02:02:41 AM:

On Thu, Dec 18, 2008 at 01:31:29AM -0500, Michael Head wrote:

David wrote on 12/18/2008 12:15:40 AM:

I found and fixed an OS scan bug in r11421. An implementation error
disabled global congestion control, leading to large bursts of
outstanding probes. With the fix Nmap will not send so many at once.

Unfortunately, as I said I can't reproduce the problem so I don't

know

if this fixes it specifically. If you have been compiling from source
please try r11421. Anyone else who has experienced this problem, we
could use your help.


I have been using the 4.76 pre-built windows installer, but I can

surely

build and test it here. What's the preferred build system to make sure

the

version I try is most comparable to the version I've been using?


Great.


OK, I've checked out 11421 and ran it in comparison with 4.76. I do see
some improvement overall, but there are still systems whose fingerprint
comes back poorly when scanned in a group:

The results below come from runs like so:
C:\...>nmap -v -oX 4.76-out.xml -O -sSU --osscan-guess X.X.X.0/24
and
C:\...>nmap-svn\mswin32\Debug\nmap -v -oX 11421-out.xml -O -sSU
--osscan-guess X.X.X.0/24
and
C:\...>nmap-svn\mswin32\Debug\nmap -v -oX 11421-host.xml -O -sSU
--osscan-guess 9.2.139.114

For host X.X.X.114, using r11421 on the entire subset:
   SCAN
   (V=4.76%D=12/18%OT=135%CT=1%CU=2%PV=N%DS=1%G=N%M=005056%TM=494A6DB1%P=i686-pc-windows-windows)&#xa;
   ECN(R=N)&#xa;
   T1(R=N)&#xa;
   T2(R=N)&#xa;
   T3(R=N)&#xa;
   T4(R=N)&#xa;
   T5(R=N)&#xa;
   T6(R=N)&#xa;
   T7(R=N)&#xa;
   U1(R=N)&#xa;
   IE(R=N)&#xa;

For the same host, using r11421 on just that host:
   SCAN
   (V=4.76%D=12/18%OT=135%CT=1%CU=2%PV=N%DS=1%G=N%M=005056%TM=494A8CBB%P=i686-pc-windows-windows)&#xa;
   SEQ(SP=FC%GCD=1%ISR=10E%TI=I%II=I%SS=S%TS=0)&#xa;
   OPS
   (O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)&#xa;
   WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)&#xa;
   ECN(R=Y%DF=N%T=80%W=FAF0%O=M5B4NW0NNS%CC=N%Q=)&#xa;
   T1(R=Y%DF=N%T=80%S=O%A=S+%F=AS%RD=0%Q=)&#xa;
   T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)&#xa;
   T3(R=Y%DF=N%T=80%W=FAF0%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)&#xa;
   T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)&#xa;
   T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;
   T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)&#xa;
   T7(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)&#xa;
   U1
   (R=Y%DF=N%T=80%TOS=0%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)&#xa;
   IE(R=Y%DFI=S%T=80%TOSI=Z%CD=Z%SI=S%DLI=S)&#xa;

host *.114 finds its way into the second batch of hosts scanned (I think
it's host #22 when the responsive hosts are sorted by numeric IP address)

Now, there is some difference in the output between 4.76 and r11421:
   C:\...>find /c "osmatch" 4.76-out.xml

   ---------- 4.76-OUT.XML: 104

   C:\...>find /c "osmatch" 11421-out.xml

   ---------- 11421-OUT.XML: 32

Presumably, there are fewer multi-matches.

David Fifield


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
  - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
  - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Giorgio Zoppi (Dec 18)
  - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
  - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)

(Thread continues...)