Nmap Development mailing list archives
Re: nmap: OS hints from service versions
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Mon, 09 May 2011 11:26:05 +0200
On 05/09/2011 11:20 AM, Marek Lukaszuk wrote:
On Mon, May 9, 2011 at 10:50, Vasiliy Kulikov <segooon () gmail com> wrote:On Sun, May 08, 2011 at 22:47 +0300, Toni Ruottu wrote:The OS detection is trying to detect the OS of the host. The services might all be running on different operating systems because of virtualization and port forwarding.Doesn't the whole OS detection rely on answers to the probes to the same ports? In case of port forwarding it is already fooled, isn't it?Not always, the connection can be proxied, making the OS detection based on the network responses correct, despite the fact that the banner can be completely wrong. The problem as I see it is that the services and the host that we are scanning don't have to be connected, so I wouldn't draw conclusions from one about the other.
That is right, Marek. Here's an extract from the Nmap's book, that may be of interest: [...] In this example, the line “No exact OS matches for host” means that TCP/IP fingerprinting failed to find an exact match. Fortunately, the Service Info field a few lines down discloses that the OS is HP-UX. If several operating systems were detected (which can happen with NAT gateway boxes that redirect ports to several different machines), the field would be OSs and the values would be comma separated. The Service Info line can also contain hostnames and device types found during the version scan. The focus of this chapter is on TCP/IP fingerprinting though, since version detection was covered in Chapter 7, Service and Application Version Detection. With two effective OS detection methods available, which one should you use? The best answer is usually both. In some cases, such as a proxy firewall forwarding to an application on another host, the answers may legitimately differ. TCP/IP fingerprinting will identify the proxy while version scanning will generally detect the server running the proxied application. Even when no proxying or port forwarding is involved, using both techniques is beneficial. If they come out the same, that makes the results more credible. If they come out wildly different, investigate further to determine what is going on before relying on either. Since OS and version detection go together so well, the -A option enables them both. Source: http://nmap.org/book/osdetect-usage.html Luis. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap: OS hints from service versions Vasiliy Kulikov (May 08)
- Re: nmap: OS hints from service versions Toni Ruottu (May 08)
- Re: nmap: OS hints from service versions Luis MartinGarcia. (May 09)
- Re: nmap: OS hints from service versions Vasiliy Kulikov (May 09)
- Re: nmap: OS hints from service versions Marek Lukaszuk (May 09)
- Re: nmap: OS hints from service versions Luis MartinGarcia. (May 09)
- Re: nmap: OS hints from service versions Toni Ruottu (May 08)
- Re: nmap: OS hints from service versions Fyodor (May 11)
- Re: nmap: OS hints from service versions Vasiliy Kulikov (May 13)
- Re: nmap: OS hints from service versions Narendra Choyal Security (May 15)