Nmap Development mailing list archives
RE: Nmap Fingerprint Submitter - Broken?
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Sat, 15 Dec 2007 21:13:23 -0000
Phew! I'm glad it was something I was doing wrong (trying to paste bad fingerprints) and not a problem with the webpage. I see the fingerprint because I normally run nmap with -vv (NB: the osdetect page David mentioned says "Unless you force them by enabling debugging (-d), G=N fingerprints aren't printed by Nmap." which is incorrect as I'm not using -d); if I don't tell it to be very verbose then I don't see the bad signature. Presumably -vv (and higher; as -v doesn't show anything) will force nmap to show a signature, but the "OS:" is (now, obviously not in 4.20/4.21 versions) intentionally omitted to make sure it's invalid if you try and paste it into the online submitter. Perhaps the JavaScript could read the first line to make sure it says "%G=Y" and display a different warning instead? That might stop bad submissions from anyone still using 4.20. Also, http://insecure.org/nmap/man/man-output.html says for verbosity "Using it more than twice has no effect." but that can't be right? Using -vvv will add the "DNS resolution of 1 IPs took 0.14s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]" line, for example, that I don't see with just -vv. And my NSE script will also show more info if -vvv or higher is used. Perhaps we should remove that sentence from the documentation, or reword it to suggest that there's little value in using it more than twice? I suspect the fingerprints were bad because the scans were run against Windows Vista hosts with the firewalls enabled, so they're not getting any TCP resets. You have to work hard to cripple Vista enough to get a good fingerprint (i.e. return a closed port) out of it. Rob -----Original Message----- From: David Fifield [mailto:david () bamsoftware com] Sent: 15 December 2007 19:00 To: nmap-dev () insecure org Subject: Re: Nmap Fingerprint Submitter - Broken? On Sat, Dec 15, 2007 at 06:39:57PM -0000, Rob Nicholls wrote:
I just tried out the Nmap Fingerprint Submitter, but it keeps telling me "Fingerprint doesn't look good! Please check that it pasted OK." I did a quick test and 4.21ALPHA4 (from a different box, but against a similar system) gives me a fingerprint that looks like:
OS:SCAN(V=4.21ALPHA4%D=12/15%OT=3389%CT=%CU=%PV=Y%DS=1%G=N%M=001B77%TM=4764
OS:1B6E%P=i686-pc-windows-windows)T1(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
OS:T2(Resp=N)T3(Resp=N)T4(Resp=N)T5(Resp=N)T6(Resp=N)T7(Resp=N)PU(Resp=N) Which it accepts, but later versions say: 4.23RC3 (SVN 6369):
SCAN(V=4.23RC3%D=12/15%OT=135%CT=%CU=%PV=Y%DS=1%G=N%M=00138F%TM=47641BA0%P=i
686- pc-windows-windows) SEQ(SP=104%GCD=1%ISR=106%TI=I%II=I%SS=S%TS=7)
OPS(O1=M5B4ST11%O2=M5B4ST11%O3=M5B4NNT11%O4=M5B4ST11%O5=M5B4ST11%O6=M5B4ST11
) WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000) ECN(R=Y%DF=Y%TG=80%W=2000%O=M5B4NNS%CC=N%Q=) T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) T1(R=Y%DF=Y%TG=80%S=O%A=O%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) U1(R=N) IE(R=Y%DFI=N%TG=80%TOSI=Z%CD=Z%SI=S%DLI=S)
The fingerprints really are bad, in that there was something weird in the scan that makes them unsuitable for the database. That's what the "G=N" (good=no) part of the SCAN line means. See http://insecure.org/nmap/osdetect/osdetect-fingerprint-format.html#id292709 ("Decoding the SCAN line of a subject fingerprint"). If you look through the output you will find lines that look like OS fingerprint not ideal because: No exact OS matches for host (test conditions non-ideal).
From the fingerprints it looks like the problem is that you didn't
receive a port unreachable message from the UDP probe. That's why it didn't package the fingerprint for submission (wrap lines and prefix with "OS:"). It only printed the fingerprint at all because you must have been in debugging mode. Basically you should only submit a fingerprint when Nmap asks you to ("If you know what OS is running on it, see http://insecure.org/nmap/submit/").
I think the JavaScript is looking specifically for the prefix "OS:" at the start of every line, which appears to have changed in recent versions of nmap. We also appear to space out the TX lines (although I don't know if that's a problem or not?), putting OS: before all of these lines seems to keep the online submitter happy. It seems to think that the following
looks
valid ("Fingerprint looks good!") although I haven't tried submitting it:
You're right though, that message ("Fingerprint doesn't look good! Please check that it pasted OK.") is confusing. It ought to say that the fingerprint is unsuitable no matter how well you paste it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Vista Pro reported as Vista Home fabrice boissat (Dec 14)
- Re: Vista Pro reported as Vista Home David Fifield (Dec 14)
- Nmap Fingerprint Submitter - Broken? Rob Nicholls (Dec 15)
- Re: Nmap Fingerprint Submitter - Broken? David Fifield (Dec 15)
- RE: Nmap Fingerprint Submitter - Broken? Rob Nicholls (Dec 15)
- Re: Nmap Fingerprint Submitter - Broken? Fyodor (Dec 20)
- Nmap Fingerprint Submitter - Broken? Rob Nicholls (Dec 15)
- Re: Vista Pro reported as Vista Home David Fifield (Dec 14)