Nmap Development mailing list archives
OS fingerprint extraction quality when scanning a large number of machines
From: Michael Head <mrhead () us ibm com>
Date: Wed, 17 Dec 2008 12:23:55 -0500
Greetings, and apologies if the format of my email is imperfect, I've been using nmap to collect information for internal asset discovery and verification processes. I'm using the OS detection, service scan, and full complement of service probes, and I'm finding that the quality of OS fingerprints achievable diminishes substantially when I scan more than a few hosts (from any of several Windows (XP, 2003) installations). When I scan each host individually with a single call to nmap, those same target systems return much improved fingerprints. For example, here are two fingerprints of the same target taken from the same machine, the first is taken when nmap was asked to scan the entire subnet, the second was taken when nmap was asked to scan just the host on its own: SCAN (V=4.76%D=12/8%OT=22%CT=1%CU=%PV=Y%DS=1%G=N%M=005056%TM=493DC5AC%P=i686-pc-windows-windows) ECN(R=N) T1(R=N) T2(R=N) T3(R=N) T4(R=N) T5(R=N) T6(R=N) T7(R=N) U1(R=N) IE(R=N) Sequential: SCAN (V=4.76%D=12/9%OT=22%CT=1%CU=43799%PV=Y%DS=1%G=Y%M=005056%TM=493E6F3
OS:1%P=i686-pc-windows-windows) SEQ(SP=C7%GCD=1%ISR=D4%TI=Z%II=I%TS=A) OPS (O1
OS:=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW
OS:7%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=
OS:Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW7%CC=N%Q=) T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0%Q
OS:=) T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=40%W=0%S=Z%A
OS:=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%D
OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1 (R=Y%DF=N%T=40%TOS=C0%IPL=164%UN
OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) IE(R=Y%DFI=N%T=40%TOSI=S%CD=S
OS:%SI=S%DLI=S) So is this a know problem and is there a known alternative to manually limiting the number of hosts given to nmap? Are the probes timing out in the first case, or is winpcap giving trouble? Thanks, mike _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)