Re: Nmap output

["Nikhil Wagholikar" <visitnikhil () gmail com>]

Hello Maash,

I appreciate you tried the same parameters on Ubuntu i.e. Linux
operating system. However, it wouldn't be possible that NMap didn't
provide you with any OS guess. If Nmap is not sure of the remote
operating system, then it would provide you with list of operating
systems based on its level of guesses.

For version detection, you would have to provide '-v' switch of Nmap
along with the options you already provided. Else to perform both
Operating system guess and version detection (with script scan and
Traceroute) in one go, you can use '-A' switch of Nmap.

As far as open ports reporting of Nmap is concerned, you can check
which Nmap (I mean from Microsoft Windows and UNIX/Linux) is providing
you correct results, by executing Nmap from both these systems and
then verifying the results manually by TELNETting to those open ports
on remote system.

However, there is no doubt that NMap as a product, is a wonderful,
powerful and reliable port scanning tool. Fydoor and his team is
making utmost efforts to make sure that no version of Nmap (may that
be on Microsoft Windows or UNIX/Linux) provides with any false
positive results.


---
NIKHIL WAGHOLIKAR
Practice Lead | Security Assessment and Digital Forensics
NII Consulting
Web: http://www.niiconsulting.com/
Security Products: http://www.niiconsulting.com/products.html

2008/11/21 Maash <maash.rajani () gmail com>:
> I tried the same parameters on Ubuntu, this time nmap does not detect any
> OS, versions or port. Which is more reliable the windows scan results or the
> linux and why.
>
>
> On Thu, Nov 20, 2008 at 3:33 PM, Nikhil Wagholikar <visitnikhil () gmail com>
> wrote:
> > Hello Maash,
> >
> > I agree with Taufiq's point. Fragmentation is just one technique to
> > evade firewall, IDS/IPS etc.
> >
> > NMap was originally developed keeping in mind UNIX/Linux operating
> > system. Later, it was ported to Microsoft Windows. So there are lots
> > of switches/options in NMap, which executes perfectly in UNIX/Linux
> > environment than on Microsoft Windows. One of the options is of
> > 'fragmentation'.
> >
> > I would suggest you to run the same scan from a UNIX/Linux based
> > system i.e. install NMap on a UNIX/Linux system and then run the same
> > scan. I am sure, you'll get near to perfect results from it.
> >
> > Best of Luck !!
> >
> > ---
> > NIKHIL WAGHOLIKAR
> > Practice Lead | Security Assessment and Digital Forensics
> > NII Consulting
> > Web: http://www.niiconsulting.com/
> > Security Products: http://www.niiconsulting.com/products.html
> >
> >
> > 2008/11/20 <maash.rajani () gmail com>
> > > I scanned a host with nmap using two set of parameters.
> > >
> > > 1) nmap -P0 -f -O 192.168.100.44
> > >
> > > Warning:  OS detection for 192.168.100.44 will be MUCH less reliable
> > > because we
> > > did not find at least 1 open and 1 closed TCP port
> > > All 1690 scanned ports on host233-226.xxxx.xxx.xx (192.168.100.44) are
> > > filt
> > > ered
> > > Device type: specialized|switch|WAP|printer|general purpose
> > > Running: Cisco IOS 12.X, D-Link embedded, Ember embedded, IBM embedded,
> > > Lexmark
> > > embedded, Minix
> > > OS details: Cisco DOCSIS cable modem termination server running IOS
> > > 12.1, Cisco
> > > Catalyst 6509 running IOS 12.1, D-Link DI-824VUP Wireless VPN Router,
> > > Ember InSi
> > > ght Adapter for programming EM2XX-family embedded devices, IBM 6400
> > > Printer (sof
> > > tware version 7.0.9.6), Lexmark T632 Network Laser Printer, Minix 3.1.2a
> > >
> > >
> > >
> > >
> > >
> > > While in the second set of parameter i did not fragment the packets.
> > >
> > > 2) nmap -P0 -O 192.168.100.44
> > >
> > > Warning:  OS detection for 192.168.100.44 will be MUCH less reliable
> > > because we
> > > did not find at least 1 open and 1 closed TCP port
> > > Warning:  OS detection will be MUCH less reliable because we did not
> > > find at lea
> > > st 1 open and 1 closed TCP port
> > > Interesting ports on host233-226.xxx.xxx.xx (192.168.100.44):
> > > Not shown: 1689 filtered ports
> > > PORT    STATE SERVICE
> > > 443/tcp open  https
> > > Device type: general purpose
> > > Running: IBM AIX 4.X, Microsoft Windows 2003/.NET|NT/2K/XP
> > > OS details: IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, Microsoft Windows
> > > 2003 Serve
> > > r or XP SP2
> > > Uptime: 3.360 days (since Sun Nov 16 13:22:23 2008)
> > >
> > >
> > >
> > >
> > > My question is without fragmenting the packets how was nmap able to
> > > determine an open port.
> > > And what different did fragmentation make in OS detection.
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Security Trends Report from Cenzic
> > > Stay Ahead of the Hacker Curve!
> > > Get the latest Q2 2008 Trends Report now
> > >
> > > www.cenzic.com/landing/trends-report
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------
>
>
>
> --
> channel your energy into your mind
> look for the wave with no color

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------