RE: Nmap Fingerprint Submitter - Broken?

["Rob Nicholls" <robert () everythingeverything co uk>]

Phew! I'm glad it was something I was doing wrong (trying to paste bad
fingerprints) and not a problem with the webpage.

I see the fingerprint because I normally run nmap with -vv (NB: the osdetect
page David mentioned says "Unless you force them by enabling debugging (-d),
G=N fingerprints aren't printed by Nmap." which is incorrect as I'm not
using -d); if I don't tell it to be very verbose then I don't see the bad
signature. Presumably -vv (and higher; as -v doesn't show anything) will
force nmap to show a signature, but the "OS:" is (now, obviously not in
4.20/4.21 versions) intentionally omitted to make sure it's invalid if you
try and paste it into the online submitter. Perhaps the JavaScript could
read the first line to make sure it says "%G=Y" and display a different
warning instead? That might stop bad submissions from anyone still using
4.20.

Also, http://insecure.org/nmap/man/man-output.html says for verbosity "Using
it more than twice has no effect." but that can't be right? Using -vvv will
add the "DNS resolution of 1 IPs took 0.14s. Mode: Async [#: 3, OK: 0, NX:
1, DR: 0, SF: 0, TR: 1, CN: 0]" line, for example, that I don't see with
just -vv. And my NSE script will also show more info if -vvv or higher is
used. Perhaps we should remove that sentence from the documentation, or
reword it to suggest that there's little value in using it more than twice?

I suspect the fingerprints were bad because the scans were run against
Windows Vista hosts with the firewalls enabled, so they're not getting any
TCP resets. You have to work hard to cripple Vista enough to get a good
fingerprint (i.e. return a closed port) out of it.


Rob


-----Original Message-----
From: David Fifield [mailto:david () bamsoftware com] 
Sent: 15 December 2007 19:00
To: nmap-dev () insecure org
Subject: Re: Nmap Fingerprint Submitter - Broken?

On Sat, Dec 15, 2007 at 06:39:57PM -0000, Rob Nicholls wrote:
> I just tried out the Nmap Fingerprint Submitter, but it keeps telling me
> "Fingerprint doesn't look good! Please check that it pasted OK."
>
> I did a quick test and 4.21ALPHA4 (from a different box, but against a
> similar system) gives me a fingerprint that looks like:
OS:SCAN(V=4.21ALPHA4%D=12/15%OT=3389%CT=%CU=%PV=Y%DS=1%G=N%M=001B77%TM=4764
>
OS:1B6E%P=i686-pc-windows-windows)T1(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
> OS:T2(Resp=N)T3(Resp=N)T4(Resp=N)T5(Resp=N)T6(Resp=N)T7(Resp=N)PU(Resp=N)
>
> Which it accepts, but later versions say:
>
> 4.23RC3 (SVN 6369):
SCAN(V=4.23RC3%D=12/15%OT=135%CT=%CU=%PV=Y%DS=1%G=N%M=00138F%TM=47641BA0%P=i
> 686-
> pc-windows-windows)
> SEQ(SP=104%GCD=1%ISR=106%TI=I%II=I%SS=S%TS=7)
OPS(O1=M5B4ST11%O2=M5B4ST11%O3=M5B4NNT11%O4=M5B4ST11%O5=M5B4ST11%O6=M5B4ST11
> )
> WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
> ECN(R=Y%DF=Y%TG=80%W=2000%O=M5B4NNS%CC=N%Q=)
> T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
> T1(R=Y%DF=Y%TG=80%S=O%A=O%F=AS%RD=0%Q=)
> T2(R=N)
> T3(R=N)
> T4(R=N)
> U1(R=N)
> IE(R=Y%DFI=N%TG=80%TOSI=Z%CD=Z%SI=S%DLI=S)

The fingerprints really are bad, in that there was something weird in
the scan that makes them unsuitable for the database. That's what the
"G=N" (good=no) part of the SCAN line means. See
http://insecure.org/nmap/osdetect/osdetect-fingerprint-format.html#id292709
("Decoding the SCAN line of a subject fingerprint").

If you look through the output you will find lines that look like
        OS fingerprint not ideal because:
        No exact OS matches for host (test conditions non-ideal).
> From the fingerprints it looks like the problem is that you didn't
receive a port unreachable message from the UDP probe.

That's why it didn't package the fingerprint for submission (wrap lines
and prefix with "OS:"). It only printed the fingerprint at all because
you must have been in debugging mode. Basically you should only submit a
fingerprint when Nmap asks you to ("If you know what OS is running on
it, see http://insecure.org/nmap/submit/";).

> I think the JavaScript is looking specifically for the prefix "OS:" at the
> start of every line, which appears to have changed in recent versions of
> nmap. We also appear to space out the TX lines (although I don't know if
> that's a problem or not?), putting OS: before all of these lines seems to
> keep the online submitter happy. It seems to think that the following
looks
> valid ("Fingerprint looks good!") although I haven't tried submitting it:

You're right though, that message ("Fingerprint doesn't look good!
Please check that it pasted OK.") is confusing. It ought to say that the
fingerprint is unsuitable no matter how well you paste it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org