Re: When nmap can't ID the OS...

[Faleh Daoud Abdel Monem <abdelmonem () webone-tunisie com>]

Jimi Thompson wrote:
> Are you by any chance running NMAP on Windows?  If so, you might try
> using the Linux/Unix version instead and see if you don't get better
> results.
>
> 2 cents,
>
> Jimi
>
>
> On 27 Nov 2004 19:27:16 -0000, H Carvey <keydet89 () yahoo com> wrote:
>
> > In-Reply-To: <200411261640.23084.dflists () iinet net au>
> >
> >
> > > What could be up with the remote machine that stops nmap IDing the OS it is
> >
> > > running?
> >
> >
> > Well, the info at NetCraft could have been spoofed, or old.  The system using that IP could have at one time been running 
> > the OS/web server identified, but perhaps no longer.  And without knowing more about what arguments you used for nmap, and 
> > the actual output, it might be difficult to tell you why nmap couldn't figure it out...there are several possibilities 
> > there.
> >
> > Harlan
> >
> > "Windows Forensics and Incident Recovery"
> >
> > http://www.windows-ir.com
Hi list,

First of all I'm sorry about this late reply.
Thought the discussion has gone about if Nmap is able to reliably 
identify a remote OS, if you permit it lets review what’s basically OS 
fingerprinting:

All is about TCP/IP packets when it come to guess the remote OS system, 
different systems has different TCP/IP stacks, so if you can get a 
packet from one system and match it against known patterns or behavior 
(how many SYN packets are send to tray establishing a connection, delay 
between packets, response to erroneous packets …) you may guess the OS 
it’s running. How to get this packet to analyze it is what make the 
difference between a so called active and passive finger printing. 
Passive finger printing is basically collecting packets (TCPdump or any 
that can do) and studying them to find a matching with different OS 
special setting in IP or TCP headers, this is widely covered in Toby 
Miller sans.org paper in it’s 2 parts 
(http://www.sans.org/rr/special/index.php?id=passiveos 
http://www.sans.org/rr/special/index.php?id=passiveos2). Active 
fingerprinting technique involve sending regular (usually SYN) packets 
or special crafted (SYN|FIN) ounces in order to trigger some errors on 
the remote systems and look into their replays, thought this is the way 
Nmap and many others active fingerprinting tools work, a look at Fyodor 
paper on Nmap Remote OS Detection 
(http://www.insecure.org/nmap/nmap-fingerprinting-article.html) gives a 
good explication of the techniques. Also performing basic ports scanning 
and banners collect, would give some informations but this is no that 
much accurate since today daemons become available for a wide range of Oss.

Thought many OS have parameters that can be tweaked to limit the leak of 
informations used by those tools if not stop it at all, they may also 
fool the tool to not be able to identify the remote OS. If anyone has 
experience tweaking them with some success it would be useful for all of 
us. I just can remember about some option when compiling a new FreeBSD 
kernel about to allow response to SYC|FIN packets as this violate the 
TCP Three Way Handshake ( sorry for not providing it cuz I don’t have a 
FreeBSD Box know at hand to verify).

Best Regards.

--
-----------------------------------------------------------------
Daoud AbdelMonem Faleh             WebOne S.A.R.L eBusiness solutions
System Admin.


Tel:    +216 71 784 726        21 Rue Ibn Badis
Fax:    +216 71 894 326        1002 Tunis / Tunisia
abdelmonem () webone-tunisie com           http://www.webone.com.tn
-----------------------------------------------------------------