Security Basics mailing list archives
Re: When nmap can't ID the OS...
From: Faleh Daoud Abdel Monem <abdelmonem () webone-tunisie com>
Date: Tue, 14 Dec 2004 19:02:32 +0100
Jimi Thompson wrote:
Are you by any chance running NMAP on Windows? If so, you might try using the Linux/Unix version instead and see if you don't get better results. 2 cents, Jimi On 27 Nov 2004 19:27:16 -0000, H Carvey <keydet89 () yahoo com> wrote:In-Reply-To: <200411261640.23084.dflists () iinet net au>What could be up with the remote machine that stops nmap IDing the OS it isrunning?Well, the info at NetCraft could have been spoofed, or old. The system using that IP could have at one time been running the OS/web server identified, but perhaps no longer. And without knowing more about what arguments you used for nmap, and the actual output, it might be difficult to tell you why nmap couldn't figure it out...there are several possibilities there. Harlan "Windows Forensics and Incident Recovery" http://www.windows-ir.com
Hi list, First of all I'm sorry about this late reply.Thought the discussion has gone about if Nmap is able to reliably identify a remote OS, if you permit it lets review what’s basically OS fingerprinting:
All is about TCP/IP packets when it come to guess the remote OS system, different systems has different TCP/IP stacks, so if you can get a packet from one system and match it against known patterns or behavior (how many SYN packets are send to tray establishing a connection, delay between packets, response to erroneous packets …) you may guess the OS it’s running. How to get this packet to analyze it is what make the difference between a so called active and passive finger printing. Passive finger printing is basically collecting packets (TCPdump or any that can do) and studying them to find a matching with different OS special setting in IP or TCP headers, this is widely covered in Toby Miller sans.org paper in it’s 2 parts (http://www.sans.org/rr/special/index.php?id=passiveos http://www.sans.org/rr/special/index.php?id=passiveos2). Active fingerprinting technique involve sending regular (usually SYN) packets or special crafted (SYN|FIN) ounces in order to trigger some errors on the remote systems and look into their replays, thought this is the way Nmap and many others active fingerprinting tools work, a look at Fyodor paper on Nmap Remote OS Detection (http://www.insecure.org/nmap/nmap-fingerprinting-article.html) gives a good explication of the techniques. Also performing basic ports scanning and banners collect, would give some informations but this is no that much accurate since today daemons become available for a wide range of Oss.
Thought many OS have parameters that can be tweaked to limit the leak of informations used by those tools if not stop it at all, they may also fool the tool to not be able to identify the remote OS. If anyone has experience tweaking them with some success it would be useful for all of us. I just can remember about some option when compiling a new FreeBSD kernel about to allow response to SYC|FIN packets as this violate the TCP Three Way Handshake ( sorry for not providing it cuz I don’t have a FreeBSD Box know at hand to verify).
Best Regards. -- ----------------------------------------------------------------- Daoud AbdelMonem Faleh WebOne S.A.R.L eBusiness solutions System Admin. Tel: +216 71 784 726 21 Rue Ibn Badis Fax: +216 71 894 326 1002 Tunis / Tunisia abdelmonem () webone-tunisie com http://www.webone.com.tn -----------------------------------------------------------------
Current thread:
- Re: When nmap can't ID the OS... Jimi Thompson (Dec 01)
- Re: When nmap can't ID the OS... Faleh Daoud Abdel Monem (Dec 14)
- Re: When nmap can't ID the OS... Corey LeBleu (Dec 15)
- <Possible follow-ups>
- Re: When nmap can't ID the OS... xyberpix (Dec 06)
- Re: When nmap can't ID the OS... Faleh Daoud Abdel Monem (Dec 14)