Nmap Development mailing list archives
Re: OS fingerprint extraction quality when scanning a large number of machines
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 17 Dec 2008 17:37:18 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 17 Dec 2008 12:23:55 -0500 or thereabouts Michael Head <mrhead () us ibm com> wrote:
Greetings, and apologies if the format of my email is imperfect, I've been using nmap to collect information for internal asset discovery and verification processes. I'm using the OS detection, service scan, and full complement of service probes, and I'm finding that the quality of OS fingerprints achievable diminishes substantially when I scan more than a few hosts (from any of several Windows (XP, 2003) installations). When I scan each host individually with a single call to nmap, those same target systems return much improved fingerprints. For example, here are two fingerprints of the same target taken from the same machine, the first is taken when nmap was asked to scan the entire subnet, the second was taken when nmap was asked to scan just the host on its own: SCAN (V=4.76%D=12/8%OT=22%CT=1%CU=%PV=Y%DS=1%G=N%M=005056%TM=493DC5AC%P=i686-pc-windows-windows) ECN(R=N) T1(R=N) T2(R=N) T3(R=N) T4(R=N) T5(R=N) T6(R=N) T7(R=N) U1(R=N) IE(R=N) Sequential: SCAN (V=4.76%D=12/9%OT=22%CT=1%CU=43799%PV=Y%DS=1%G=Y%M=005056%TM=493E6F3
OS:1%P=i686-pc-windows-windows) SEQ(SP=C7%GCD=1%ISR=D4%TI=Z%II=I%TS=A) OPS (O1
OS:=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW
OS:7%O6=M5B4ST11) WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0) ECN(R=
OS:Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW7%CC=N%Q=) T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0%Q
OS:=) T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=40%W=0%S=Z%A
OS:=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%D
OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1 (R=Y%DF=N%T=40%TOS=C0%IPL=164%UN
OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) IE(R=Y%DFI=N%T=40%TOSI=S%CD=S
OS:%SI=S%DLI=S) So is this a know problem and is there a known alternative to manually limiting the number of hosts given to nmap? Are the probes timing out in the first case, or is winpcap giving trouble? Thanks, mike
Mike, Among other things, OS fingerprinting is sensitive to intra-packet timings and when Nmap is doing "too much" the measured times can have a lot of jitter to them. This can result in slightly degraded fingerprints. David worked on changing the weights of the fingerprint matching to help improve matches in a number of cases. The fingerprints you've included above though don't exhibit the small jitter of scanning lots of hosts. The first fingerprint got absolutely no response back from the host. This generally happens on firewalled or non-existent hosts. The second fingerprint is a perfectly valid, quality fingerprint. You should *not* see such a wide variation in fingerprints, even scanning lots of hosts. Can you reproduce this? Do you get a lot of no-fingerprints when you scan lots of hosts that do respond individually? If you provide the command you are using to scan large host groups we /might/ be able to spot the problem. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEUEARECAAYFAklJONYACgkQqaGPzAsl94LVSACXdcUIABpuOmx0txZUF2vg5qab kwCcCBNIp4WlkGrqZaBqovnWbUlEVmk= =RID4 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)