Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: about -O option [Re: 2.54 beta 33 build on w2k]

From: BlackHat.INFO <blackhat () needguide com>
Date: 27 Apr 2002 16:10:51 -0700
Denis,

Thank you for quick your feedback. My alternative solution right now is to run NMAP outside of my firewall to do 
OSScan, this it to isolate firewall issue.

Thanks.
Emil.


On Sat, 27 April 2002, Denis Ducamp wrote:



On Sat, Apr 27, 2002 at 02:31:57PM -0700, BlackHat . Info wrote:

Fyodor,

I've tried to use nmap -v -sS -O -P0 -oN name.txt www.testsite.com to
gather port scan, identify OS and save to name.txt. I was not able to get
any success to identify OS version. I'm using the latest release of NMAP
running in RedHat machine. System is behind the firewall.

Any suggestion to correct this issue.


When you use -v and -O you have a line such as :

For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled

(ports numbers may change)
So you must have a hole in the firewall to permit to access to both ports
used by nmap to fingerprint.


Btw, Netcraft.com and SecuritySpace.com can provide a detailed OS
fingerprinting result. Will I be able to do this using NMAP tool?


Netcraft, IIRC, use a different technic :
 . headers of the http server,
 . ip/tcp options of the syn/ack packet replied by the http server.


Let me know how.


nmap fingerprinting works very well if there isn't any firewall between the
serveur and the scanner, but with a firewall some responses will not come
back to nmap and it will not work at all. Netcraft's method work in much
more situations because they only send packets to the 80/tcp port to http
servers but results are less precise.

You may use a passive fingerprinting tool to test throw a firewall or add an
option to nmap to give possible responses when packets are "lost" during the
fingerprinting.

Denis Ducamp.

-- 
.signature en deuil

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: