Nmap Development mailing list archives
Re: Fwd: nmap-os-db question
From: David Fifield <david () bamsoftware com>
Date: Thu, 31 Jan 2019 23:44:39 -0700
On Mon, Jan 28, 2019 at 01:26:57PM +0100, ludeksubrt () email cz wrote:
I am a fan of nmap and especially OS detection. But one thing is still unclear. In the nmap-os-db the value T= is usually range. For example T1(R= Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) where T is in range 3B(59)-45 (69) which is exactly 5 away form expected value 0x40(64). When I am performing some test scans in lab environment (all in the same LAN) the scan output looks like T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=) and there the T equals the expected OS value 64. I would theoretically understand if in the db is 3B-40, but why 45? I have tried some calculation and play with endianity, but I wasn't able to figure out or even create a hypothesis when the initial TTL for the OS could be 0x45 or in range between 0x40-0x45. Can you help me to understand this last piece of nmap os fingerprinting for which I have trouble sleeping :-)
There's a paragraph on this phenomenon in the documentation: https://nmap.org/book/osdetect-methods.html#osdetect-t Even though an eight-bit field like TTL can never hold values greater than 0xFF, this test occasionally results in values of 0x100 or higher. This occurs when a system (could be the source, a target, or a system in between) corrupts or otherwise fails to correctly decrement the TTL. It can also occur due to asymmetric routes. It's basically because Nmap may over-estimate the distance to the target. If the scanner receives a TTL of 60 but the distance is measured to be 5 hops, then the estimated initial TTL will be 65. The error can't happen when scanning local LAN targets, because the distance is then known to be 1. You'll see "DS=1%DC=D" in the SCAN line, which means "distance = 1, distance calculation method = direct". _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Fwd: nmap-os-db question ludeksubrt (Jan 31)
- Re: Fwd: nmap-os-db question David Fifield (Jan 31)