Nmap-5.61TEST4 for Windows - VMWare ESXi OS Fingerprinting Issue

[Shane Kinney <shanek () isiisi com>]

Hi all,

I have had some conflicting results between a network scan with nmap-5.61TEST4
on Linux Ubuntu versus Windows XP.  I have the
nmap-5.61TEST4 version installed on a Linux Ubuntu host, it seems to run
exactly as I expect it with the output of the OS Fingerprinting
showing that I have discovered my VMWare ESXi 4.1 host.  See below:

root@notebook:~/nmap.org/dist/nmap-5.61TEST4# ./nmap -P0 -O -n 192.168.1.7

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-02 18:10 MST
Nmap scan report for 192.168.1.7
Host is up (0.0050s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
427/tcp  open  svrloc
443/tcp  open  https
902/tcp  open  iss-realsecure
5989/tcp open  wbem-https
8000/tcp open  http-alt
8100/tcp open  xprint-server
MAC Address: 78:2B:CB:2D:4B:5E (Dell)
Device type: specialized
Running: VMware ESX Server 4.X
OS CPE: cpe:/o:vmware:esx_server:4
OS details: VMware ESXi Server 4.1
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.03 seconds

----------------8<------------------------------------8<------------------------------------------8<-------------------------------------

As you can see below, this scan shows the results of scanning the VMWare
ESXi 4.1 with nmap 5.61TEST4
for Windows.  The concern here is that the OS Fingerprinting for VMWare
ESXi from the Windows version
isn't working quite correctly.  See below:

C:\Program Files\Nmap>nmap -P0 -O -n 192.168.1.7

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-02 17:07 Central
Standard
 Time
Nmap scan report for 192.168.1.7
Host is up (0.0067s latency).
Not shown: 993 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
427/tcp  open  svrloc
443/tcp  open  https
902/tcp  open  iss-realsecure
8000/tcp open  http-alt
8100/tcp open  xprint-server
Warning: OSScan results may be unreliable because we could not find at
least 1 o
pen and 1 closed port
Device type: switch|phone|VoIP adapter|storage-misc|general purpose|VoIP
phone|W
AP|printer
Running (JUST GUESSING): Cisco IOS 10.X (93%), Cisco embedded (91%), Nokia
Symbi
an OS (90%), Apple embedded (88%), QEMU (88%), Linux 2.0.X (86%), Aastra
embedde
d (86%), Konica Minolta embedded (86%)
OS CPE: cpe:/h:cisco:catalyst_3000 cpe:/o:cisco:ios:10.3
cpe:/h:cisco:catalyst_1
900 cpe:/o:nokia:symbian_os cpe:/h:cisco:ata_188_voip_gateway
cpe:/o:qemu:qemu c
pe:/o:linux:kernel:2.0.33
Aggressive OS guesses: Cisco 3000 switch (IOS 10.3) (93%), Cisco Catalyst
1900 s
witch (91%), Nokia 3600i mobile phone (90%), Cisco ATA 188 VoIP gateway
(89%), A
pple Time Capsule NAS device (88%), QEMU user mode network gateway (88%),
Linux
2.0.33 (86%), Aastra 6731i VoIP phone or Apple AirPort Express WAP (86%),
Konica
 Minolta bizhub 250 printer (86%), GNU Hurd 0.3 (86%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at
http://nmap.org/s
ubmit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.99 seconds
----------------8<------------------------------------8<------------------------------------------8<-------------------------------------

Thanks in advance for your help with this.  If there is anything that I can
do to help, please let me know.

Regards,
Shane Kinney
e: shanek () isiisi com
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/