Nmap Development mailing list archives

Re: OS fingerprint extraction quality when scanning a large number of machines

From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Dec 2008 22:15:40 -0700

On Wed, Dec 17, 2008 at 09:37:18PM -0700, David Fifield wrote:

On Wed, Dec 17, 2008 at 12:23:55PM -0500, Michael Head wrote:

I've been using nmap to collect information for internal asset discovery
and verification processes. I'm using the OS detection, service scan, and
full complement of service probes, and I'm finding that the quality of OS
fingerprints achievable diminishes substantially when I scan more than a
few hosts (from any of several Windows (XP, 2003) installations). When I
scan each host individually with a single call to nmap, those same target
systems return much improved fingerprints.


I tried to reproduce this with Windows XP SP3. I OS scanned 128 Internet
addresses. I thought that a Microsoft patch might have changed things,
so I ran both before and after applying these updates:

However OS scanning worked for me. About 100 hosts in each test had a
good OS fingerprint. Perhaps it was because it was an Internet scan. I
don't have a big LAN to test with.

Can anyone reproduce this? The symptom is that only about 1 in 30 hosts
have a good OS fingerprint. I found a good way to quickly analyze this
is to grep an XML log for "R=Y"; any matches are good fingerprints.


I found and fixed an OS scan bug in r11421. An implementation error
disabled global congestion control, leading to large bursts of
outstanding probes. With the fix Nmap will not send so many at once.

Unfortunately, as I said I can't reproduce the problem so I don't know
if this fixes it specifically. If you have been compiling from source
please try r11421. Anyone else who has experienced this problem, we
could use your help.

This change could potentially be disruptive for those of you who do
large-scale OS scans. I'd appreciate some tests before and after r11421.
My feeling is that they will take the same amount of time or will be a
little bit slower.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 17)
  - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
- Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
  - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 17)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 17)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Michael Head (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Rob Nicholls (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines Brandon Enright (Dec 18)
    - Re: OS fingerprint extraction quality when scanning a large number of machines David Fifield (Dec 18)

(Thread continues...)