Re: OS fingerprint extraction quality when scanning a large number of machines

[David Fifield <david () bamsoftware com>]

On Wed, Dec 17, 2008 at 12:23:55PM -0500, Michael Head wrote:
> I've been using nmap to collect information for internal asset discovery
> and verification processes. I'm using the OS detection, service scan, and
> full complement of service probes, and I'm finding that the quality of OS
> fingerprints achievable diminishes substantially when I scan more than a
> few hosts (from any of several Windows (XP, 2003) installations). When I
> scan each host individually with a single call to nmap, those same target
> systems return much improved fingerprints.

Thanks for the thorough report. We haven't seen this before.

How long have you been running these scans? Did the OS detection work
previously, and suddenly stop, or has it always had this problem? Did
you use any previous version of Nmap before using 4.76? It would be
helpful if you could find an old log file that either does or does not
have the OS detection problem.

You mention the problem occurs on Windows XP and 2003. If you run scans
from any other platforms, does it happen on the others too?

Download Nmap 4.68 from

http://nmap.org/dist/nmap-4.68-setup.exe

and see if that shows the same wrong behavior. If it does not, that will
narrow the list of changes we have to examine. If it does, then the
problem might be caused by a change outside of Nmap, as it seems this
would have been noticed in the six months since 4.68 was released.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org