Are sX and sF broken on linux?

["Alex R" <alex () deviousmeans net>]

Are sF and sX scans broken on 3.70? I'm running slackware-current with a
custom 2.6.8.1 kernel.

 

root@foo:~# nmap -sF -P0 -vv -O -p 1-65535 2k.lan

 

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-17 16:37
GMT+2

Initiating FIN Scan against 192.168.0.6 [65535 ports] at 16:37

The FIN Scan took 12.41s to scan 65535 total ports.

Warning:  OS detection will be MUCH less reliable because we did not find at
least 1 open and 1 closed TCP port

Host 192.168.0.6 appears to be up ... good.

All 65535 scanned ports on 192.168.0.6 are: closed

MAC Address: 00:06:4F:06:AB:BD (Pro-nets Technology)

Device type: webcam|switch|general purpose

Running: AXIS embedded, Cisco embedded, IBM MVS, Microsoft Windows
95/98/ME|2003/.NET|NT/2K/XP

Too many fingerprints match this host to give specific OS details

TCP/IP fingerprint:

SInfo(V=3.70%P=i486-slackware-linux-gnu%D=10/17%Time=4172BBE9%O=-1%C=1)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

PU(Resp=Y%DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

 

Nmap run completed -- 1 IP address (1 host up) scanned in 24.284 seconds

root@foo:~# nmap -sX -P0 -vv -O -p 1-65535 2k.lan

 

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-17 16:38
GMT+2

Initiating XMAS Scan against 192.168.0.6 [65535 ports] at 16:38

The XMAS Scan took 12.50s to scan 65535 total ports.

Warning:  OS detection will be MUCH less reliable because we did not find at
least 1 open and 1 closed TCP port

Host 192.168.0.6 appears to be up ... good.

All 65535 scanned ports on 192.168.0.6 are: closed

MAC Address: 00:06:4F:06:AB:BD (Pro-nets Technology)

Device type: webcam|switch|general purpose

Running: AXIS embedded, Cisco embedded, IBM MVS, Microsoft Windows
95/98/ME|2003/.NET|NT/2K/XP

Too many fingerprints match this host to give specific OS details

TCP/IP fingerprint:

SInfo(V=3.70%P=i486-slackware-linux-gnu%D=10/17%Time=4172BC34%O=-1%C=1)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

PU(Resp=Y%DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

 

Nmap run completed -- 1 IP address (1 host up) scanned in 24.248 seconds

 

 

root@foo:~# nmap -sS -P0 -O -p 1-65535 2k.lan

 

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-17 16:42
GMT+2

Interesting ports on 192.168.0.6:

(The 65517 ports scanned but not shown below are in state: closed)

PORT     STATE SERVICE

53/tcp   open  domain

80/tcp   open  http

88/tcp   open  kerberos-sec

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

389/tcp  open  ldap

445/tcp  open  microsoft-ds

464/tcp  open  kpasswd5

593/tcp  open  http-rpc-epmap

636/tcp  open  ldapssl

1025/tcp open  NFS-or-IIS

1026/tcp open  LSA-or-nterm

1028/tcp open  unknown

1041/tcp open  unknown

1060/tcp open  unknown

2267/tcp open  unknown

3268/tcp open  globalcatLDAP

3269/tcp open  globalcatLDAPssl

MAC Address: 00:06:4F:06:AB:BD (Pro-nets Technology)

Device type: general purpose

Running: Microsoft Windows 2003/.NET

OS details: Microsoft Windows .NET Enterprise Server (build 3604-3790)

 

Nmap run completed -- 1 IP address (1 host up) scanned in 23.979 seconds