Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: nmap-os-db question

From: David Fifield <david () bamsoftware com>
Date: Thu, 31 Jan 2019 23:44:39 -0700
On Mon, Jan 28, 2019 at 01:26:57PM +0100, ludeksubrt () email cz wrote:


    I am a fan of nmap and especially OS detection. But one thing is still
    unclear. In the nmap-os-db the value T= is usually range. For example T1(R=
    Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) where T is in range 3B(59)-45
    (69) which is exactly 5 away form expected value 0x40(64). When I am
    performing some test scans in lab environment (all in the same LAN) the
    scan output looks like T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=) and there
    the T equals the expected OS value 64.
    I would theoretically understand if in the db is 3B-40, but why 45? I have
    tried some calculation and play with endianity, but I wasn't able to figure
    out  or even create a hypothesis when the initial TTL for the OS could be
    0x45 or in range between 0x40-0x45.
    Can you help me to understand this last piece of nmap os fingerprinting for
    which I have trouble sleeping :-)


There's a paragraph on this phenomenon in the documentation:
https://nmap.org/book/osdetect-methods.html#osdetect-t
        Even though an eight-bit field like TTL can never hold values
        greater than 0xFF, this test occasionally results in values of
        0x100 or higher. This occurs when a system (could be the source,
        a target, or a system in between) corrupts or otherwise fails to
        correctly decrement the TTL. It can also occur due to asymmetric
        routes.
It's basically because Nmap may over-estimate the distance to the
target. If the scanner receives a TTL of 60 but the distance is measured
to be 5 hops, then the estimated initial TTL will be 65. The error can't
happen when scanning local LAN targets, because the distance is then
known to be 1. You'll see "DS=1%DC=D" in the SCAN line, which means
"distance = 1, distance calculation method = direct".
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: