New Nmap option --osscan_guess

[Fyodor <fyodor () insecure org>]

The 2.54BETA3 I released this morning has one interesting undocumented
option I thought I would mention to nmap-dev.

As you may know, Nmap generally requires an OS to match one of the
nmap-os-fingerpritns templates 100% before it will report the match.  This
is a good thing for accuracy, but a "no matches" answer sometimes leaves
you with no clues as to what the OS is.  So I added the --osscan_guess
option which tells Nmap to report the closest matches.  For example, when
I scan www.slashdot.org normally Nmap tells me that no matches were
found.  But if you add --osscan_guess, Nmap reports the extra line:

Aggressive OS guesses: Linux 2.1.122 - 2.2.16 (90%)

The "90%" means that 90% of the fingerprinting tests matched the "Linux
2.1.122 - 2.2.16" target.  I know slashdot runs Linux, so in this case the
guess was helpful.  But guessing is not always so slick -- sometimes it
comes up with seemingly-unrelated answers.  More testing will have to be
done to decide if this is a worthwile option.  But next time you get "no
matches", you might want to try again with --osscan_guess .  I also added
--osscan_limit which tells Nmap to skip OS detection unless conditions are
good (eg at least one open port and at least one closed (unfiltered) port
found).

If anyone finds problems with these options or has suggestions for
improving them, let me know.

Cheers,
Fyodor


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).