Nmap Development mailing list archives

nmap OS detection over OpenVPN v. 2.2.1

From: Антон Конвалюк <w.o.l.f.paradox () mail ru>
Date: Thu, 24 Jan 2013 18:07:28 +0400
 Hello!

I have got a virtual pentest lab (ProxMox VE). And for outside connection I use OpenVPN (bridged). It works fine, but 
there is a problem.
I'm trying to nmap MS Windows 2000 machine in VE. To do it I use Backtrack 5 R3 connected to virtual network over VPN. 
But nmap cannot recognize remote OS.
But if I close my VPN connection, add network interface (with IP from the same subnet as Backtrack 5) to MS Windows 
2000 machine and nmap it, everything is OK.

Below VPN server and client config files are represented:

==== Server ====
#user nobody
#group nogroup

script-security 2
comp-lzo
push comp-lzo
max-clients 100
status-version 1
status /var/log/ovpn-status.log 30
log /var/log/ovpn.log 30
verb 3

server-bridge 192.168.150.1 255.255.255.0 192.168.150.130 192.168.150.254
dev tap0
proto udp
port 1194
keepalive 10 120
persist-local-ip


tls-server
ca /etc/ssl/certs/ca.crt
cert /etc/ssl/certs/server.crt
key /etc/ssl/keys/server.key
dh /etc/ssl/keys/dh1024.pem
tls-auth /etc/ssl/keys/ta.key 0
auth-nocache yes
cipher AES-256-CBC
tls-cipher DHE-RSA-AES256-SHA
persist-key
remote-cert-tls client

#client-to-client
client-config-dir /etc/openvpn/ccd
ccd-exclusive
==== ====== ====

==== Client ====
#user nobody
#group nogroup

proto udp
port 1194
dev tap0
comp-lzo

ca ca.crt
cert client.crt
key client.key

client
ns-cert-type server
remote-cert-tls server
tls-auth ta.key 1
remote 192.168.0.213
nobind
persist-key

status-version 1
status /var/log/vpn-status.log
log /var/log/vpn.log
verb 3

script-security 2
cipher AES-256-CBC
tls-cipher DHE-RSA-AES256-SHA
==== ====== ====


And part of nmap output (with unsuccessful detection):
==== ====== ====

3 services unrecognized despite returning data. If you know the service/version, please submit the following 
fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port88-TCP:V=6.25%I=7%D=1/24%Time=510134E8%P=i686-pc-linux-gnu%r(Kerber
SF:os,60,"\0\0\0\\~Z0X\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18
SF:\x0f20130124142031Z\xa5\x05\x02\x03\n\xc70\xa6\x03\x02\x01D\xa9\x0c\x1b
SF:\nPENTEST\.UC\xaa\x1f0\x1d\xa0\x03\x02\x01\x02\xa1\x160\x14\x1b\x06krbt
SF:gt\x1b\nPENTEST\.UC")%r(SMBProgNeg,4,"\0\0\0\0");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port464-TCP:V=6.25%I=7%D=1/24%Time=51013513%P=i686-pc-linux-gnu%r(Kerbe
SF:ros,64,"\0\0\0`~\^0\\\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x
SF:18\x0f20130124142113Z\xa5\x05\x02\x03\r\xedl\xa6\x03\x02\x01'\xa9\x0c\x
SF:1b\nPENTEST\.UC\xaa\x1d0\x1b\xa0\x03\x02\x01\x02\xa1\x140\x12\x1b\x06ka
SF:dmin\x1b\x08changepw\xac\x04\x04\x02\0\x03")%r(SMBProgNeg,64,"\0\0\0`~\
SF:^0\\\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18\x0f20130124142
SF:118Z\xa5\x05\x02\x03\x0eg~\xa6\x03\x02\x01'\xa9\x0c\x1b\nPENTEST\.UC\xa
SF:a\x1d0\x1b\xa0\x03\x02\x01\x02\xa1\x140\x12\x1b\x06kadmin\x1b\x08change
SF:pw\xac\x04\x04\x02\0\x03");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3372-TCP:V=6.25%I=7%D=1/24%Time=510134E4%P=i686-pc-linux-gnu%r(GetR
SF:equest,6,"HV\x0b\0x\x01")%r(RTSPRequest,6,"HV\x0b\0x\x01")%r(HTTPOption
SF:s,6,"HV\x0b\0x\x01")%r(Help,6,"HV\x0b\0x\x01")%r(SSLSessionReq,6,"HV\x0
SF:b\0x\x01")%r(FourOhFourRequest,6,"HV\x0b\0x\x01")%r(LPDString,6,"HV\x0b
SF:\0x\x01")%r(SIPOptions,6,"HV\x0b\0x\x01");
MAC Address: 7E:20:F8:FE:72:59 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.25%E=4%D=1/24%OT=7%CT=1%CU=37437%PV=Y%DS=1%DC=D%G=Y%M=7E20F8%TM
OS:=51013587%P=i686-pc-linux-gnu)SEQ(SP=85%GCD=1%ISR=99%TI=I%CI=I%II=I%SS=S
OS:%TS=0)OPS(O1=M528NW0NNT00NNS%O2=M528NW0NNT00NNS%O3=M528NW0NNT00%O4=M528N
OS:W0NNT00NNS%O5=M528NW0NNT00NNS%O6=M528NNT00NNS)WIN(W1=4308%W2=4308%W3=410
OS:0%W4=40E8%W5=40E8%W6=402E)ECN(R=Y%DF=Y%T=80%W=4308%O=M528NW0NNS%CC=N%Q=)
OS:T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR
OS:%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=402E%S=O%A=S+%F=AS%O=M528NW0NNT00NNS%RD=0
OS:%Q=)T4(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y
OS:%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z)

Network Distance: 1 hop

==== ====== ====

Hope, somebody know what the problem is.
Thanks!


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:

nmap OS detection over OpenVPN v. 2.2.1 Антон Конвалюк (Jan 24)
- Re: nmap OS detection over OpenVPN v. 2.2.1 David Fifield (Jan 24)
  - Re[2]: nmap OS detection over OpenVPN v. 2.2.1 Anton Konvalyuk (Jan 25)