Nmap Development mailing list archives

Re: Nmap output behavior question

From: Fyodor <fyodor () insecure org>
Date: Fri, 22 May 2009 18:00:40 -0700

On Fri, May 22, 2009 at 09:28:05AM -0400, Thomas Tavaris J (Tavaris) wrote:

Hi devs,

I realize that I am not running the most recent version of Nmap (using
4.76) but while running various scans I noticed strange results being
reported when generating the fingerprint of the remote host.
In particular the SEQ, IE test, and U1 are reporting multiple results
from the generated fingerprint., (i.e. one IE(R=Y....) and a IE(R=N) for
the same host?!?!?!?! multiple SEQ and U1 lines (see below), etc
Could anyone explain this?


Hi Tavaris.  Nmap repeats the whole OS detection process against a
target as many as five times to try and get a match.  If they all
fail, it prints a fingerprint.  Rather than including a whole
fingerprint for each of the five attempts, it consolidates them into
one fingerprint.  In the process, it removes test lines where nothing
changed.  So when you see:

(*) SEQ(SP=102%GCD=1%ISR=10A%TI=Z%II=RI%TS=U)
(*) SEQ(SP=102%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
(*) SEQ(SP=FF%GCD=1%ISR=10C%TI=Z%II=RI%TS=U)
(*) SEQ(SP=FD%GCD=1%ISR=10F%TI=Z%II=RI%TS=U)
(*) SEQ(SP=101%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
OPS(O1=M5B4W0NSLL%O2=M578W0NSLL%O3=M280W0L%O4=M1F4W0NSLL%O5=M218W0NSLL%O
6=M109SLL)
WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)


That means that the SEQ tests showed changes every time, but you only
see one OPS and one WIN line because those didn't vary during the 5 OS
detection runs.

And yes, it is a bit strange when you see a target responding
different ways to the same probe.  But it isn't all that uncommon.

I hope this helps!  BTW, you should upgrade to 4.85BETA9.  We don't
even distribute 4.76 any more from the download page since it is about
8 months old.  We're planning a new stable release soon.  We now have
more than 2,000 OS detection fingerprints!

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Nmap output behavior question Thomas Tavaris J (Tavaris) (May 22)
- Re: Nmap output behavior question Fyodor (May 22)