Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

OS guessing suggestion

From: "Ray Bero" <ray () nameintel com>
Date: Sun, 3 Aug 2003 13:44:40 -0700
Hello,
        I'm new to the list and hope this hasn't been covered. I'm currently
working on a project to use nmap's excellent OS detection functionality to
determine the OS of web servers. I have added a little code to enforce only
using fingerprints that are marked 'general purpose' as the rest don't
usually apply to web servers. I was hoping to decrease the number of top
tying accuracy scores I was getting. Although this removes most of the noise
guesses (when dealing strictly with www server OS detection), I think there
is an easy way to do one better. Here is an example an OS detection with
multiple guesses...


./nmap -O -n -P0 -p80 -sT www.colt.com

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-03 13:09 PDT
Warning:  OS detection will be MUCH less reliable because we did not find at
least 1 open and 1 closed TCP port
Interesting ports on 209.35.183.201:
Port       State       Service
80/tcp     open        http
Device type: general purpose
Running (JUST GUESSING) : IBM AIX 4.X (85%), Microsoft Windows
2003/.NET|NT/2K/XP (85%)
Aggressive OS guesses: IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/* (85%),
Microsoft Windows Server 2003 (85%), Microsoft Windows 2000 SP3 (85%)
No exact OS matches for host (test conditions non-ideal).

Nmap run completed -- 1 IP address (1 host up) scanned in 8.290 seconds


I'm fairly certain that www.colt.com is running on a Windows server
(http://uptime.netcraft.com/up/graph?site=www.colt.com). My suggestion would
be that the various classes have a small bonus (or penalty) applied to the
top tying accuracy score guesses. These bonuses or penalties would be set
based on the statistics that one OS is installed more then another. In my
example above, I believe that this approach would nudge MS Windows above IBM
AIX. In the case that there is a tie for the top guess, I think this would
only help improve accuracy.

Does anyone have any idea where I could get good stats on the install base
counts of the general purpose OSes? Netcraft didn't really have this
information in the level of detail that I was hoping for. Atleast not
directly publically available.

Thanks for any help or info you can pass my way.

Ray






---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: