Re: OS detection with Nmap on ubuntu server 12.04

[David Fifield <david () bamsoftware com>]

On Tue, Jul 24, 2012 at 07:42:41AM +0000, Yaroslav Yarmoshyk wrote:
> I decided to use nmap scanner to obtain information about servers, and
> then cat information that I need. I was writing it on OS Ubuntu 10.04
> Lucid, and everything worked great.
>
> When I transferred it to production server (Ubuntu 12.04 Precise) I
> got troubles with getting information about OS based on fingerprints.
> I get some wired fingerprints output. Server has no firewall
> restrictions.
>
> I get:
> No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
> TCP/IP fingerprint:
> OS:SCAN(V=6.01%E=4%D=7/24%OT=21%CT=1%CU=37083%PV=Y%DS=5%DC=I%G=Y%TM=500E4C4
> OS:F%P=x86_64-unknown-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=
> OS:8)OPS(O1=M574ST11NW7%O2=M574ST11NW7%O3=M574NNT11NW7%O4=M574ST11NW7%O5=M5
> OS:74ST11NW7%O6=M574ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=389
> OS:0)ECN(R=Y%DF=Y%T=41%W=3908%O=M574NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S
> OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=3890%S=O%A=S+%F=AS%O=M574ST11NW
> OS:7%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W
> OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
> OS:T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=164%U
> OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S)
>
> But running nmap for the same server on Lucid server I get pure information about OS:
>
> Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (90%), IPFire Linux 2.6.X (87%), IGEL Linux 2.6.X (85%)
> OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 cpe:/o:ipfire:linux:2.6 cpe:/o:linux:kernel:2.4 
> cpe:/o:igel:linux:2.6
> Aggressive OS guesses: Linux 2.6.32 - 2.6.38 (90%), Linux 3.0 (89%), IPFire firewall 2.11 (Linux 2.6) (87%), Linux 
> 2.6.38 (87%), DD-WRT v24-sp1 (Linux 2.4) (86%), Linux 2.6.39 (86%), IGEL UD3 thin client (Linux 2.6) (85%), Linux 
> 2.6.32 (85%), Linux 2.6.35 (85%), Linux 2.6.35 (Ubuntu) (85%)

First, you should use the --osscan-guess option if you never want to see
fingerprints and always want to see guesses. You make like this
documentation: http://nmap.org/book/osdetect-unidentified.html.

Second, what you should do when you get a fingerprint like this, and
when you happen to know the target OS, is submit it at
http://insecure.org/cgi-bin/submit.cgi?new-os
What's going wrong is that Nmap has never seen this exact configuration
of Linux before.

The match that's giving you a fingerprint is actually a *better* match
than the guesses. If you use --osscan-guess, you will see that it
matches at 95% rather than 90%. Nmap is not printing the fingerprint on
the Lucid server because it doesn't think the signature is good for some
reason. (Search the output for "OS fingerprint not ideal because".)

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/