Re: Question about nmap OS detective

[Daniel Miller <bonsaiviking () gmail com>]

Sandy,

Thanks for the question. The fingerprints you've listed have a few things
in common, so it seems likely they are all from one or two devices. A
couple of them (Nintendo Wii, GoPro HERO3) do not have responses for some
of the open-port probes, so those are actually more likely to match an
unusual observation, though with a low score. Otherwise, I see similarities
in TCP options, initial TTL, and a few other things. But there is also
enough variation that I think you may be misinterpreting the output.

Does Nmap report these as confident matches, or does it say things like
"JUST GUESSING" or "conditions not ideal"? Are you using the --osscan-guess
option? It's possible you have a device that we have not classified yet.
I'd guess probably something running VxWorks, since most of these
fingerprints are from that OS, but I can't be sure. Alternatively, you have
an unreliable connection or something is interfering with packets in such a
way as to make classification difficult.

If you provide output from Nmap itself, we could possibly give a more
accurate idea of what is going on.

Dan

On Mon, Nov 28, 2016 at 9:19 PM, <sandy.ys.lu () foxconn com> wrote:

> Hi,
>
>   I have a question about nmap OS detective.
>   I checked the same ip serveral times, but the result changes at
> different time.
>   Do you know the reason?
>
> Example:
>
> Usage:    nmap -O 10.172.100.101
> ( 10.172.100.101 is use for HP iLO4. )
>
>
> Best Regards,
>
> Sandy Lu
> ------------------------------------------------------------
> -----------------
> Information Technology Department
> integrated Digital Product Business Group (iDPBG)
> Hon Hai/Foxconn Precision Ind. Co., Ltd
> GL Office : +86-755-3381-0299 ext. 568 <+86%20755%203381%200299>-82295
> (I'm here)
> ZZ Office : +86-371-6628-2888 ext. 579 <+86%20371%206628%202888>-83615
> Location: 4F, C33, GL
> China Cell Phone: +86-188-2028-4279 <+86%20188%202028%204279>
> Email: sandy.ys.lu () mail foxconn com
> ------------------------------------------------------------
> -----------------
> ------------------------------
> ⌘本電子郵件及附件所載信息均為保密信息，受合同保護或依法不得洩漏。其內容僅供指定收件人按限定範圍或特殊目的使用。未經授權者收到此信息均無權閱讀、
> 使用、 複製、洩漏或散佈。若您因為誤傳而收到本郵件或者非本郵件之指定收件人，請即刻回覆郵件或致電Super Notes郵件客服熱線
> 560-104，並永久刪除此郵件及其附件和銷毀所有複印件。謝謝您的合作！
> This e-mail message together with any attachments thereto (if any) is
> confidential, protected under an enforceable non-disclosure agreement,
> intended only for the use of the named recipient(s) above and may contain
> information that is privileged, belonging to professional work products or
> exempt from disclosure under applicable laws.Any unauthorized review, use,
> copying, disclosure, or distribution of any information contained in or
> attached to this transmission is STRICTLY PROHIBITED and may be against the
> laws. If you have received this message in error, or are not the named
> recipient(s), please immediately notify the sender by e-mail or telephone
> at Super Notes support hotline 560-104 and delete this e-mail message and
> any attached documentation from your computer. Receipt by anyone other than
> the intended recipient(s) is not a waiver of any attorney-client or work
> product privilege. Thank you!⌘
> ------------------------------
>
>
> mail from ip-->10.172.117.58
> mail from pc-->GL-F1195896SVA
> Version: Super Notes 1.6.9.8B
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/