Re: nmap OS detection providing different results: --osscan-guess

[David Fifield <david () bamsoftware com>]

On Sat, Apr 02, 2011 at 08:23:47AM -0700, David Fifield wrote:
> On Sat, Apr 02, 2011 at 09:33:45AM -0400, Ryan Giobbi wrote:
> > Hello,
> >
> > When running against non-Windows hosts (AIX), I've noticed that nmap's
> > OS detection (nmap -O) doesn't provide the same results all of the
> > time. About 1/5 scans nmap fails to find the remote hosts when run
> > repeatedly.
> >
> > Is this expected? Would pasting the OS signature that returns when the
> > current ones fail into nmap-os-db and submitting to nmap.org be a
> > reasonable workaround?
>
> Yes, please submit the fingerprint you get, it's the only way for the
> database to improve. It's not a workaround, it's the way the process is
> supposed to work.
>
> I can explain why this happens sometimes. Some of the fingerprint fields
> are ranges. When a new fingerprint is added, we start the ranges pretty
> narrow, so as to avoid overlapping with other fingerprints.

Another thing I should mention is that if you just want results, you
should use the --osscan-guess option. When a match fails for a reason
like this, it is still usually a 98% or 99% match. --osscan-guess will
show you the match instead of a fingerprint.

Why doesn't Nmap just show you both (the closest match and the
fingerprint)? Thew reason is that we fear that people will read the
closest match and just paste it into the submit form. Then an incorrect
fingerprint will just get reinforced.

The downside of using --osscan-guess is that it doesn't help grow the
database. (And potentially make --osscan-guess unnecessary for that
target in the future.)

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/