Nmap Development mailing list archives
Re: OS detection in poor conditions
From: David Fifield <david () bamsoftware com>
Date: Wed, 11 Nov 2009 07:43:13 -0700
On Tue, Nov 10, 2009 at 10:56:41PM -0500, Andrew Johnston wrote:
Hello- I noticed throughout my scans that whenever a machine's OS seems to be unknown, Nmap reports it as a firewall running ZyXEL ZyNOS or Prestige. I would understand if the scan was close enough (like if it was a ZyXEL router), but a lot of times it seems to be way off. As an example, I have provided a scan. # Nmap 5.00 scan initiated Tue Nov 10 22:51:33 2009 as: nmap -O -oN example.txt -PN fake.domain Interesting ports on fake.domain (192.168.1.1) Not shown: 923 closed ports, 69 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 995/tcp open pop3s 3306/tcp open mysql Device type: firewall Running: ZyXEL ZyNOS 3.X OS details: ZyXEL ZyWALL 2 or Prestige 660HW-61 ADSL router (ZyNOS 3.62) OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done at Tue Nov 10 22:52:58 2009 -- 1 IP address (1 host up) scanned in 86.14 seconds Of course, I removed any sensitive information. But I know the device is not actually a ZyXEL firewall, but a Red Hat 9 server. Is this a type of default that I can disable? It has been messing me up.
Thanks for your report. The fingerprint you're seeing isn't a default, but it is fairly broad. It would help if you could run OS detection with the -d option (so a fingerprint is printed) and send it to me along with the output of "uname -a" on the server. That way I can find a way to differentiate the prints. Normally I would tell you to submit an OS correction at http://insecure.org/cgi-bin/submit.cgi?corr-os, but we just pulled off the submission queue yesterday to do OS integration, and it wouldn't get in this round. You can disable the print just by commenting it out in the nmap-os-db file. It's currently (as of r16028) at line 35791, seventh from the bottom of the file. Just search the file for "ZyWALL 2". David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- OS detection in poor conditions Andrew Johnston (Nov 11)
- Re: OS detection in poor conditions David Fifield (Nov 11)