Nmap Development mailing list archives

Re: OS fingerprint extraction quality -- solved in r11437

From: David Fifield <david () bamsoftware com>
Date: Fri, 19 Dec 2008 15:17:49 -0700

On Wed, Dec 17, 2008 at 12:23:55PM -0500, Michael Head wrote:

I've been using nmap to collect information for internal asset discovery
and verification processes. I'm using the OS detection, service scan, and
full complement of service probes, and I'm finding that the quality of OS
fingerprints achievable diminishes substantially when I scan more than a
few hosts (from any of several Windows (XP, 2003) installations). When I
scan each host individually with a single call to nmap, those same target
systems return much improved fingerprints.


Thanks to everyone who ran tests and sent in suggestions. Trent Snyder
dug through a packet capture and found the cause of the problem. It's
now fixed, so give it a try.

I'll just reproduce the log message for r11437 to explain what the
problem was and how it was fixed.

        Fill in the destination MAC address before each probe sent in OS scan.
        This fixes the following bug: When scanning with an Ethernet handle (as
        opposed to raw sockets), only the first host in an OS scan group would
        get a result. All others would be blank fingerprints with R=N for every
        probe. This was first noticed on Windows because Ethernet is the default
        sending method, but it affects other platforms with --send-eth.
        
        OS scan initialized an Ethernet handle once for each group, and recorded
        the first-hop MAC address of the first target at that time. That
        first-hop address was used for all targets. This failed on a switched
        LAN, when the first-hop address for every host is different (it's the
        MAC address of each target).
        
        All the various high-level probe sending functions now do their work
        through three low-level sending functions: one each for TCP, UDP, and
        ICMP. Those low-level functions take care of setting the MAC addresses
        before each send.
        
        I checked and the other places where Ethernet sends are used do not have
        this problem. ultra_scan, idle scan, and traceroute all set the
        addresses before every send.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Re: OS fingerprint extraction quality when scanning a large number of machines, (continued)
- - - Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Giorgio Zoppi (Dec 18)
  - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
  - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality -- solved in r11437 David Fifield (Dec 19)
  - Re: OS fingerprint extraction quality -- solved in r11437 Rob Nicholls (Dec 19)
    - Re: OS fingerprint extraction quality -- solved in r11437 Rob Nicholls (Dec 20)
  - Re: OS fingerprint extraction quality -- solved in r11437 Michael Head (Dec 19)