Nmap Development mailing list archives
Re: OS fingerprint extraction quality -- solved in r11437
From: David Fifield <david () bamsoftware com>
Date: Fri, 19 Dec 2008 15:17:49 -0700
On Wed, Dec 17, 2008 at 12:23:55PM -0500, Michael Head wrote:
I've been using nmap to collect information for internal asset discovery and verification processes. I'm using the OS detection, service scan, and full complement of service probes, and I'm finding that the quality of OS fingerprints achievable diminishes substantially when I scan more than a few hosts (from any of several Windows (XP, 2003) installations). When I scan each host individually with a single call to nmap, those same target systems return much improved fingerprints.
Thanks to everyone who ran tests and sent in suggestions. Trent Snyder dug through a packet capture and found the cause of the problem. It's now fixed, so give it a try. I'll just reproduce the log message for r11437 to explain what the problem was and how it was fixed. Fill in the destination MAC address before each probe sent in OS scan. This fixes the following bug: When scanning with an Ethernet handle (as opposed to raw sockets), only the first host in an OS scan group would get a result. All others would be blank fingerprints with R=N for every probe. This was first noticed on Windows because Ethernet is the default sending method, but it affects other platforms with --send-eth. OS scan initialized an Ethernet handle once for each group, and recorded the first-hop MAC address of the first target at that time. That first-hop address was used for all targets. This failed on a switched LAN, when the first-hop address for every host is different (it's the MAC address of each target). All the various high-level probe sending functions now do their work through three low-level sending functions: one each for TCP, UDP, and ICMP. Those low-level functions take care of setting the MAC addresses before each send. I checked and the other places where Ethernet sends are used do not have this problem. ultra_scan, idle scan, and traceroute all set the addresses before every send. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: OS fingerprint extraction quality when scanning a large number of machines, (continued)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality -- solved in r11437 Rob Nicholls (Dec 19)
- Re: OS fingerprint extraction quality -- solved in r11437 Rob Nicholls (Dec 20)
- Re: OS fingerprint extraction quality -- solved in r11437 Michael Head (Dec 19)