Nmap Development mailing list archives
Nmap output behavior question
From: "Thomas Tavaris J (Tavaris)" <tjthomas () LGSInnovations com>
Date: Fri, 22 May 2009 09:28:05 -0400
Hi devs, I realize that I am not running the most recent version of Nmap (using 4.76) but while running various scans I noticed strange results being reported when generating the fingerprint of the remote host. In particular the SEQ, IE test, and U1 are reporting multiple results from the generated fingerprint., (i.e. one IE(R=Y....) and a IE(R=N) for the same host?!?!?!?! multiple SEQ and U1 lines (see below), etc Could anyone explain this? (nmap command used for scanning at the very bottom of this message) -Tavaris Here are some examples of generated fingerprints I am seeing: (*) = Dupes #EX 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (*) SEQ(SP=102%GCD=1%ISR=10A%TI=Z%II=RI%TS=U) (*) SEQ(SP=102%GCD=1%ISR=108%TI=Z%II=RI%TS=U) (*) SEQ(SP=FF%GCD=1%ISR=10C%TI=Z%II=RI%TS=U) (*) SEQ(SP=FD%GCD=1%ISR=10F%TI=Z%II=RI%TS=U) (*) SEQ(SP=101%GCD=1%ISR=108%TI=Z%II=RI%TS=U) OPS(O1=M5B4W0NSLL%O2=M578W0NSLL%O3=M280W0L%O4=M1F4W0NSLL%O5=M218W0NSLL%O 6=M109SLL) WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000) ECN(R=Y%DF=Y%T=FF%W=4000%O=M5B4W0NSLL%CC=N%Q=) T1(R=Y%DF=Y%T=FF%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=Y%DF=N%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=N%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=N%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=N%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) (*) U1(R=Y%DF=N%T=FF%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD =G) (*) U1(R=N) IE(R=Y%DFI=S%T=FF%TOSI=S%CD=S%SI=S%DLI=S) #EX 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEQ(SP=102%GCD=1%ISR=10F%TI=RD%II=RI%TS=U) SEQ(SP=104%GCD=1%ISR=10C%TI=RD%TS=U) OPS(O1=M5B4%O2=M578%O3=M280%O4=M218%O5=M218%O6=M109) WIN(W1=1020%W2=1020%W3=1020%W4=1020%W5=1020%W6=1020) ECN(R=Y%DF=Y%T=101%W=1020%O=M5B4%CC=N%Q=) ECN(R=N) T1(R=Y%DF=Y%T=101%S=O%A=S+%F=AS%RD=0%Q=) T2(R=Y%DF=N%T=101%W=0%S=A%A=S%F=AR%O=%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=101%W=1020%S=O%A=S+%F=AS%O=M5B4%RD=0%Q=) T3(R=N) T4(R=Y%DF=N%T=101%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T4(R=N) T5(R=Y%DF=N%T=101%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=) T5(R=N) T6(R=Y%DF=N%T=101%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T6(R=N) T7(R=Y%DF=N%T=101%W=0%S=A%A=S%F=AR%O=%RD=0%Q=) T7(R=N) (*) U1(R=Y%DF=N%T=101%TOS=C0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%R UD=G) (*) U1(R=N) (*) IE(R=Y%DFI=S%T=101%TOSI=S%CD=S%SI=S%DLI=S) (*) IE(R=N) #EX 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ T5(R=Y%DF=N%T=100%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=N%T=100%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=N%T=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=100%TOS=C0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%R UD=G) (*) IE(R=Y%DFI=N%T=100%TOSI=S%CD=S%SI=S%DLI=S) (*) IE(R=Y%DFI=N%T=FF%TOSI=S%CD=S%SI=S%DLI=S) Here is the command I used: <!-- Nmap 4.76 scan initiated Fri May 8 09:48:17 2009 as: nmap -F -d -n -vvv -oA master-nmap-list -O --osscan-guess --> <nmaprun scanner="nmap" args="nmap -F -d -n -vvv -oA master-nmap-list -O --osscan-guess start="1241790497" startstr="Fri May 8 09:48:17 2009" version="4.76" xmloutputversion="1.02"> _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap output behavior question Thomas Tavaris J (Tavaris) (May 22)
- Re: Nmap output behavior question Fyodor (May 22)