Nmap Development mailing list archives

OS detection in poor conditions

From: Andrew Johnston <ahjohnston25 () gmail com>
Date: Tue, 10 Nov 2009 22:56:41 -0500

Hello-
I noticed throughout my scans that whenever a machine's OS seems to be
unknown, Nmap reports it as a firewall running ZyXEL ZyNOS or Prestige. I
would understand if the scan was close enough (like if it was a ZyXEL
router), but a lot of times it seems to be way off. As an example, I have
provided a scan.
# Nmap 5.00 scan initiated Tue Nov 10 22:51:33 2009 as: nmap -O -oN
example.txt -PN fake.domain
Interesting ports on fake.domain (192.168.1.1)
Not shown: 923 closed ports, 69 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
995/tcp  open  pop3s
3306/tcp open  mysql
Device type: firewall
Running: ZyXEL ZyNOS 3.X
OS details: ZyXEL ZyWALL 2 or Prestige 660HW-61 ADSL router (ZyNOS 3.62)
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
# Nmap done at Tue Nov 10 22:52:58 2009 -- 1 IP address (1 host up) scanned
in 86.14 seconds
 Of course, I removed any sensitive information. But I know the device is
not actually a ZyXEL firewall, but a Red Hat 9 server.
Is this a type of default that I can disable? It has been messing me up.

Thanks in advance.


-- 
Andrew Johnston
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

OS detection in poor conditions Andrew Johnston (Nov 11)
- Re: OS detection in poor conditions David Fifield (Nov 11)