Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OS detection in poor conditions

From: David Fifield <david () bamsoftware com>
Date: Wed, 11 Nov 2009 07:43:13 -0700
On Tue, Nov 10, 2009 at 10:56:41PM -0500, Andrew Johnston wrote:

Hello-
I noticed throughout my scans that whenever a machine's OS seems to be
unknown, Nmap reports it as a firewall running ZyXEL ZyNOS or Prestige. I
would understand if the scan was close enough (like if it was a ZyXEL
router), but a lot of times it seems to be way off. As an example, I have
provided a scan.
# Nmap 5.00 scan initiated Tue Nov 10 22:51:33 2009 as: nmap -O -oN
example.txt -PN fake.domain
Interesting ports on fake.domain (192.168.1.1)
Not shown: 923 closed ports, 69 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
995/tcp  open  pop3s
3306/tcp open  mysql
Device type: firewall
Running: ZyXEL ZyNOS 3.X
OS details: ZyXEL ZyWALL 2 or Prestige 660HW-61 ADSL router (ZyNOS 3.62)
OS detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
# Nmap done at Tue Nov 10 22:52:58 2009 -- 1 IP address (1 host up) scanned
in 86.14 seconds
 Of course, I removed any sensitive information. But I know the device is
not actually a ZyXEL firewall, but a Red Hat 9 server.
Is this a type of default that I can disable? It has been messing me up.


Thanks for your report. The fingerprint you're seeing isn't a default,
but it is fairly broad. It would help if you could run OS detection with
the -d option (so a fingerprint is printed) and send it to me along with
the output of "uname -a" on the server. That way I can find a way to
differentiate the prints.

Normally I would tell you to submit an OS correction at
http://insecure.org/cgi-bin/submit.cgi?corr-os, but we just pulled off
the submission queue yesterday to do OS integration, and it wouldn't get
in this round.

You can disable the print just by commenting it out in the nmap-os-db
file. It's currently (as of r16028) at line 35791, seventh from the
bottom of the file. Just search the file for "ZyWALL 2".

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: