Nmap Development mailing list archives
Re: Nmap output behavior question
From: Fyodor <fyodor () insecure org>
Date: Fri, 22 May 2009 18:00:40 -0700
On Fri, May 22, 2009 at 09:28:05AM -0400, Thomas Tavaris J (Tavaris) wrote:
Hi devs, I realize that I am not running the most recent version of Nmap (using 4.76) but while running various scans I noticed strange results being reported when generating the fingerprint of the remote host. In particular the SEQ, IE test, and U1 are reporting multiple results from the generated fingerprint., (i.e. one IE(R=Y....) and a IE(R=N) for the same host?!?!?!?! multiple SEQ and U1 lines (see below), etc Could anyone explain this?
Hi Tavaris. Nmap repeats the whole OS detection process against a target as many as five times to try and get a match. If they all fail, it prints a fingerprint. Rather than including a whole fingerprint for each of the five attempts, it consolidates them into one fingerprint. In the process, it removes test lines where nothing changed. So when you see:
(*) SEQ(SP=102%GCD=1%ISR=10A%TI=Z%II=RI%TS=U) (*) SEQ(SP=102%GCD=1%ISR=108%TI=Z%II=RI%TS=U) (*) SEQ(SP=FF%GCD=1%ISR=10C%TI=Z%II=RI%TS=U) (*) SEQ(SP=FD%GCD=1%ISR=10F%TI=Z%II=RI%TS=U) (*) SEQ(SP=101%GCD=1%ISR=108%TI=Z%II=RI%TS=U) OPS(O1=M5B4W0NSLL%O2=M578W0NSLL%O3=M280W0L%O4=M1F4W0NSLL%O5=M218W0NSLL%O 6=M109SLL) WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)
That means that the SEQ tests showed changes every time, but you only see one OPS and one WIN line because those didn't vary during the 5 OS detection runs. And yes, it is a bit strange when you see a target responding different ways to the same probe. But it isn't all that uncommon. I hope this helps! BTW, you should upgrade to 4.85BETA9. We don't even distribute 4.76 any more from the download page since it is about 8 months old. We're planning a new stable release soon. We now have more than 2,000 OS detection fingerprints! Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap output behavior question Thomas Tavaris J (Tavaris) (May 22)
- Re: Nmap output behavior question Fyodor (May 22)