Re: OS fingerprint extraction quality when scanning a large number of machines

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 18 Dec 2008 17:16:29 -0000 (UTC)
"Rob Nicholls" <robert () everythingeverything co uk> wrote:

> > Thanks for your testing. A couple of hosts out of 127 is not so bad
> > considering what we had been seeing: only one out of 20 or 30 hosts
> > returning useful results.
>
> I'm afraid there were only 7 live hosts in that range, one of which
> was mine, so I typically saw 4 "good" and 2 "bad" fingerprints. I
> probably won't get a chance to do more testing until sometime
> tomorrow, but will try it using 4.76, r11420 and r11421 to see if
> there are any differences between them. The tests appeared to be
> quite repeatable, and I didn't notice much of a difference when I ran
> one using 4.76. I'll also try a few tweaks to the commandline options
> to see what differences that makes.
>
> Rob

I tried to reproduce this behavior with Nmap 4.76 against a /22 (270
hosts detected with -PS option below) using these two commands:

nmap -O -vv -d -n -F -P S22,23,135,139,445,3389 -T5 --min-hostgroup 1024 <network>/22 -oA os_group_scan

nmap -O -vv -d -n -F -P S22,23,135,139,445,3389 -T5 --max-hostgroup 1 <network>/22 -oA os_single_scan

I compared the results by hand and found *no* responsiveness
differences in the OS fingerprinting.

Of course, my lack of a negative result is not indication of a positive
one.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAklKvGQACgkQqaGPzAsl94LhtwCgjMyeuJtE3GbhzJjjFIzqWTvx
Ue0AnAtYaZNg7ezJveIW5OhMWXeSL4IR
=Ttdb
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org