Nmap Development mailing list archives
Re: OS detection with Nmap on ubuntu server 12.04
From: David Fifield <david () bamsoftware com>
Date: Tue, 24 Jul 2012 09:23:46 -0700
On Tue, Jul 24, 2012 at 07:42:41AM +0000, Yaroslav Yarmoshyk wrote:
I decided to use nmap scanner to obtain information about servers, and then cat information that I need. I was writing it on OS Ubuntu 10.04 Lucid, and everything worked great. When I transferred it to production server (Ubuntu 12.04 Precise) I got troubles with getting information about OS based on fingerprints. I get some wired fingerprints output. Server has no firewall restrictions. I get: No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.01%E=4%D=7/24%OT=21%CT=1%CU=37083%PV=Y%DS=5%DC=I%G=Y%TM=500E4C4 OS:F%P=x86_64-unknown-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS= OS:8)OPS(O1=M574ST11NW7%O2=M574ST11NW7%O3=M574NNT11NW7%O4=M574ST11NW7%O5=M5 OS:74ST11NW7%O6=M574ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=389 OS:0)ECN(R=Y%DF=Y%T=41%W=3908%O=M574NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=41%S=O%A=S OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=3890%S=O%A=S+%F=AS%O=M574ST11NW OS:7%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=41%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) OS:T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=164%U OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=41%CD=S) But running nmap for the same server on Lucid server I get pure information about OS: Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (90%), IPFire Linux 2.6.X (87%), IGEL Linux 2.6.X (85%) OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 cpe:/o:ipfire:linux:2.6 cpe:/o:linux:kernel:2.4 cpe:/o:igel:linux:2.6 Aggressive OS guesses: Linux 2.6.32 - 2.6.38 (90%), Linux 3.0 (89%), IPFire firewall 2.11 (Linux 2.6) (87%), Linux 2.6.38 (87%), DD-WRT v24-sp1 (Linux 2.4) (86%), Linux 2.6.39 (86%), IGEL UD3 thin client (Linux 2.6) (85%), Linux 2.6.32 (85%), Linux 2.6.35 (85%), Linux 2.6.35 (Ubuntu) (85%)
First, you should use the --osscan-guess option if you never want to see fingerprints and always want to see guesses. You make like this documentation: http://nmap.org/book/osdetect-unidentified.html. Second, what you should do when you get a fingerprint like this, and when you happen to know the target OS, is submit it at http://insecure.org/cgi-bin/submit.cgi?new-os What's going wrong is that Nmap has never seen this exact configuration of Linux before. The match that's giving you a fingerprint is actually a *better* match than the guesses. If you use --osscan-guess, you will see that it matches at 95% rather than 90%. Nmap is not printing the fingerprint on the Lucid server because it doesn't think the signature is good for some reason. (Search the output for "OS fingerprint not ideal because".) David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- OS detection with Nmap on ubuntu server 12.04 Yaroslav Yarmoshyk (Jul 24)
- Re: OS detection with Nmap on ubuntu server 12.04 David Fifield (Jul 24)