Re: Why does OS fingerprinting happen before Application Fingerprinting

[Fyodor <fyodor () insecure org>]

On Sun, Feb 15, 2004 at 09:27:06PM -0800, alan donald wrote:
> I just ran a few scans with the OS probe and Version
> probe check boxes checked. It appeared that the OS
> detection is being done before the Version  detection.
> Why is this so?  Is it some performance issue or is it
> using this information in some way.
>
> Or is this just random and the 2 types (OS vs Version)
> of probes can be sent one before the other or vice
> versa.

Neither of those scan types are dependant on the other, so the order
shouldn't matter.  But OS detection actually comes _after_ service
scan.  You can see the order with the -v option:

# nmap -v -A localhost

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-05 21:05 PST
Host felix (127.0.0.1) appears to be up ... good.
Initiating SYN Stealth Scan against felix (127.0.0.1) at 21:05
[...]
The SYN Stealth Scan took 3 seconds to scan 1659 ports.
Initiating service scan against 8 services on 1 host at 21:05
The service scan took 5 seconds to scan 8 services on 1 host.
Initiating RPCGrind Scan against felix (127.0.0.1) at 21:05
The RPCGrind Scan took 0 seconds to scan 1 ports.
For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled

Cheers,
-Fyodor

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org