Re: NMAP OS Guessing Tweak

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 14 Jan 2009 10:39:45 -0500
"Juengling, Kurt W" <juengling () att com> wrote:

> Running NMAP 4.62.  Intense scan against a remote Windows 2000 web
> host. NMAP correctly reports Microsoft IIS webserver 5.0 as running
> on TCP 80, then guesses that the OS is XP SP2 (88% confidence).   May
> consider tweaking the heuristics to equate IIS 5.0 with Windows 2000
> Server, and XP with IIS 5.1.
>
> Outstanding tool - really enjoy it!
>
> Kurt

Actually the service version scan has no effect on the OS scan.  This
is by design and is covered in the "Nmap Network Scanning" book in
section 8.4 (Fingerprinting Methods Avoided by Nmap, page 189).

Luckily though, service detection does have a way to set the
service-discovered OS via o/.../ on the match line.

This shows up in the output like so:

"Service Info: OS: Unix"

For the most part, services that indicate Windows are just specified as
"Windows".  There are a few services that specify a specific version of
Windows like "Windows 2000".  It would not be hard to change the IIS 5,
5.1, and 6 match lines to provide a little more detail.

We shouldn't change 5.0 to be "Windows 2000 Server" because "Server"
isn't always accurate.  Also, if I recall correctly, IIS 5.1 could
appear on more than just Windows XP (server 2003?).

If you cook up a patch to nmap-service-probes that prints more detailed
(and accurate) information I'm sure we'll accept it.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkluUrkACgkQqaGPzAsl94I5lwCgnv78W61S4cGeIMUz2jAsWDV6
rjoAn0cPiYVzWzo00TIO2eHBDnC06X3P
=G5Vr
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org