Nmap Development mailing list archives
Re: OS fingerprint extraction quality when scanning a large number of machines
From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Dec 2008 22:15:40 -0700
On Wed, Dec 17, 2008 at 09:37:18PM -0700, David Fifield wrote:
On Wed, Dec 17, 2008 at 12:23:55PM -0500, Michael Head wrote:I've been using nmap to collect information for internal asset discovery and verification processes. I'm using the OS detection, service scan, and full complement of service probes, and I'm finding that the quality of OS fingerprints achievable diminishes substantially when I scan more than a few hosts (from any of several Windows (XP, 2003) installations). When I scan each host individually with a single call to nmap, those same target systems return much improved fingerprints.I tried to reproduce this with Windows XP SP3. I OS scanned 128 Internet addresses. I thought that a Microsoft patch might have changed things, so I ran both before and after applying these updates: However OS scanning worked for me. About 100 hosts in each test had a good OS fingerprint. Perhaps it was because it was an Internet scan. I don't have a big LAN to test with. Can anyone reproduce this? The symptom is that only about 1 in 30 hosts have a good OS fingerprint. I found a good way to quickly analyze this is to grep an XML log for "R=Y"; any matches are good fingerprints.
I found and fixed an OS scan bug in r11421. An implementation error disabled global congestion control, leading to large bursts of outstanding probes. With the fix Nmap will not send so many at once. Unfortunately, as I said I can't reproduce the problem so I don't know if this fixes it specifically. If you have been compiling from source please try r11421. Anyone else who has experienced this problem, we could use your help. This change could potentially be disruptive for those of you who do large-scale OS scans. I'd appreciate some tests before and after r11421. My feeling is that they will take the same amount of time or will be a little bit slower. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)