Re: nmap: OS hints from service versions

["Luis MartinGarcia." <luis.mgarc () gmail com>]

On 05/09/2011 11:20 AM, Marek Lukaszuk wrote:
> On Mon, May 9, 2011 at 10:50, Vasiliy Kulikov <segooon () gmail com> wrote:
> > On Sun, May 08, 2011 at 22:47 +0300, Toni Ruottu wrote:
> > > The OS detection is trying to detect the OS of the host. The services
> > > might all be running on different operating systems because of
> > > virtualization and port forwarding.
> > Doesn't the whole OS detection rely on answers to the probes to the same
> > ports?  In case of port forwarding it is already fooled, isn't it?
> Not always, the connection can be proxied, making the OS detection
> based on the network responses correct, despite the fact that the
> banner can be completely wrong. The problem as I see it is that the
> services and the host that we are scanning don't have to be connected,
> so I wouldn't draw conclusions from one about the other.

That is right, Marek. Here's an extract from the Nmap's book, that may
be of interest:


[...] In this example, the line “No exact OS matches for host” means
that TCP/IP fingerprinting failed to find an exact match. Fortunately,
the Service Info field a few lines down discloses that the OS is HP-UX.
If several operating systems were detected (which can happen with NAT
gateway boxes that redirect ports to several different machines), the
field would be OSs and the values would be comma separated. The Service
Info line can also contain hostnames and device types found during the
version scan. The focus of this chapter is on TCP/IP fingerprinting
though, since version detection was covered in Chapter 7, Service and
Application Version Detection.

With two effective OS detection methods available, which one should you
use? The best answer is usually both. In some cases, such as a proxy
firewall forwarding to an application on another host, the answers may
legitimately differ. TCP/IP fingerprinting will identify the proxy while
version scanning will generally detect the server running the proxied
application. Even when no proxying or port forwarding is involved, using
both techniques is beneficial. If they come out the same, that makes the
results more credible. If they come out wildly different, investigate
further to determine what is going on before relying on either. Since OS
and version detection go together so well, the -A option enables them both.

Source: http://nmap.org/book/osdetect-usage.html

Luis.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/