Nmap Development mailing list archives
Re: OS fingerprint extraction quality when scanning a large number of machines
From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Dec 2008 21:37:18 -0700
On Wed, Dec 17, 2008 at 12:23:55PM -0500, Michael Head wrote:
I've been using nmap to collect information for internal asset discovery and verification processes. I'm using the OS detection, service scan, and full complement of service probes, and I'm finding that the quality of OS fingerprints achievable diminishes substantially when I scan more than a few hosts (from any of several Windows (XP, 2003) installations). When I scan each host individually with a single call to nmap, those same target systems return much improved fingerprints.
I tried to reproduce this with Windows XP SP3. I OS scanned 128 Internet addresses. I thought that a Microsoft patch might have changed things, so I ran both before and after applying these updates: * Security Update for Internet Explorer 6 for Windows XP (960714) http://go.microsoft.com/fwlink/?LinkId=137030 * Cumulative Security Update for Internet Explorer 6 for Windows XP (KB958215) http://go.microsoft.com/fwlink/?LinkId=133437 * Security Update for Windows XP (KB956802) http://go.microsoft.com/fwlink/?LinkId=125440 * Security Update for Windows XP Service Pack 3 (KB952069) http://go.microsoft.com/fwlink/?LinkId=125419 * Security Update for Windows XP (KB954600) http://go.microsoft.com/fwlink/?LinkId=125419 * Update for Windows XP (KB955839) http://support.microsoft.com/kb/955839 * Windows Malicious Software Removal Tool - December 2008 (KB890830) http://go.microsoft.com/fwlink/?LinkId=39987 However OS scanning worked for me. About 100 hosts in each test had a good OS fingerprint. Perhaps it was because it was an Internet scan. I don't have a big LAN to test with. Can anyone reproduce this? The symptom is that only about 1 in 30 hosts have a good OS fingerprint. I found a good way to quickly analyze this is to grep an XML log for "R=Y"; any matches are good fingerprints. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)