Re: OS fingerprint extraction quality when scanning a large number of machines

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 17 Dec 2008 12:23:55 -0500 or thereabouts Michael Head
<mrhead () us ibm com> wrote:

> Greetings, and apologies if the format of my email is imperfect,
>
> I've been using nmap to collect information for internal asset
> discovery and verification processes. I'm using the OS detection,
> service scan, and full complement of service probes, and I'm finding
> that the quality of OS fingerprints achievable diminishes
> substantially when I scan more than a few hosts (from any of several
> Windows (XP, 2003) installations). When I scan each host individually
> with a single call to nmap, those same target systems return much
> improved fingerprints.
>
> For example, here are two fingerprints of the same target taken from
> the same machine, the first is taken when nmap was asked to scan the
> entire subnet, the second was taken when nmap was asked to scan just
> the host on its own:
>    SCAN
>    (V=4.76%D=12/8%OT=22%CT=1%CU=%PV=Y%DS=1%G=N%M=005056%TM=493DC5AC%P=i686-pc-windows-windows)
>    ECN(R=N)
>    T1(R=N)
>    T2(R=N)
>    T3(R=N)
>    T4(R=N)
>    T5(R=N)
>    T6(R=N)
>    T7(R=N)
>    U1(R=N)
>    IE(R=N)
>
> Sequential:
>    SCAN
>    (V=4.76%D=12/9%OT=22%CT=1%CU=43799%PV=Y%DS=1%G=Y%M=005056%TM=493E6F3&#xa;OS:1%P=i686-pc-windows-windows)
>    SEQ(SP=C7%GCD=1%ISR=D4%TI=Z%II=I%TS=A)
>    OPS
>    (O1&#xa;OS:=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW&#xa;OS:7%O6=M5B4ST11)
>    WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
>    ECN(R=&#xa;OS:Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW7%CC=N%Q=)
>    T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R&#xa;OS:D=0%Q=)
>    T2(R=N)
>    T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW7%RD=0%Q&#xa;OS:=)
>    T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
>    T5(R=Y%DF=Y%T=40%W=0%S=Z%A&#xa;OS:=S+%F=AR%O=%RD=0%Q=)
>    T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
>    T7(R=Y%D&#xa;OS:F=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
>    U1
>    (R=Y%DF=N%T=40%TOS=C0%IPL=164%UN&#xa;OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
>    IE(R=Y%DFI=N%T=40%TOSI=S%CD=S&#xa;OS:%SI=S%DLI=S)
>
> So is this a know problem and is there a known alternative to manually
> limiting the number of hosts given to nmap? Are the probes timing out
> in the first case, or is winpcap giving trouble?
>
> Thanks,
> mike

Mike,

Among other things, OS fingerprinting is sensitive to intra-packet
timings and when Nmap is doing "too much" the measured times can have a
lot of jitter to them.  This can result in slightly degraded
fingerprints.  David worked on changing the weights of the fingerprint
matching to help improve matches in a number of cases.

The fingerprints you've included above though don't exhibit the small
jitter of scanning lots of hosts.  The first fingerprint got absolutely
no response back from the host.  This generally happens on firewalled
or non-existent hosts.  The second fingerprint is a perfectly valid,
quality fingerprint.

You should *not* see such a wide variation in fingerprints, even
scanning lots of hosts. Can you reproduce this?  Do you get a lot of
no-fingerprints when you scan lots of hosts that do respond
individually?

If you provide the command you are using to scan large host groups
we /might/ be able to spot the problem.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEUEARECAAYFAklJONYACgkQqaGPzAsl94LVSACXdcUIABpuOmx0txZUF2vg5qab
kwCcCBNIp4WlkGrqZaBqovnWbUlEVmk=
=RID4
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org