Re: Host Details from scan suggestion

[David Fifield <david () bamsoftware com>]

On Wed, Feb 03, 2016 at 03:42:51PM -0500, Ben Stine wrote:
> Hello, I just ran a scan on an IP. The Host Detail tab shows Operation System: Linux 2.6.32 with Accuracy: 97%
> I had to let you know the computer is a Windows server. The scan did get the ports 80 and 443 correct for Microsoft 
> IIS version 7.5
> So, I am uncertain of the logic the scan uses to determine IIS version coupled with Linux as the operating system.
>
> Just a suggestion that when IIS is found to be the web server, the OS should fall in to the Microsoft Windows vendor 
> family.

The application-layer OS detection is separate from the TCP/IP-layer OS
detection, and in most cases that's the way you want it, because they
can be different. Please see:
        https://nmap.org/book/osdetect-other-methods.html#osdetect-openports
        A machine which appears to be running Microsoft IIS might be a
        Unix firewall simply forwarding port 80 to a Windows machine...
        By keeping the OS detection results discovered by OS detection
        and version detection separate, Nmap can gracefully handle a
        Checkpoint firewall which uses TCP port forwarding to a Windows
        web server. The stack fingerprinting results should be
        “Checkpoint Firewall-1” while version detection should suggest
        that the OS is Windows.
You should have separate lines in your scan output:
        OS details: Linux 2.6.32
        Service Info: OS: Windows

On the other hand, it's possible that there's an erroneous fingerprint
in the database. In any case, we'd like to have the fingerprint for the
97% match so we can see what is causing it not to match 100%. For that,
see
        https://nmap.org/cgi-bin/submit.cgi?corr-service
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/