[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: Re: Nmap output behavior question
From: Fyodor <fyodor () insecure ! org>
Date: 2009-05-23 1:00:40
Message-ID: 20090523010040.GJ438 () syn ! lnxnet ! net
[Download RAW message or body]
On Fri, May 22, 2009 at 09:28:05AM -0400, Thomas Tavaris J (Tavaris) wrote:
> Hi devs,
>
> I realize that I am not running the most recent version of Nmap (using
> 4.76) but while running various scans I noticed strange results being
> reported when generating the fingerprint of the remote host.
> In particular the SEQ, IE test, and U1 are reporting multiple results
> from the generated fingerprint., (i.e. one IE(R=Y....) and a IE(R=N) for
> the same host?!?!?!?! multiple SEQ and U1 lines (see below), etc
> Could anyone explain this?
Hi Tavaris. Nmap repeats the whole OS detection process against a
target as many as five times to try and get a match. If they all
fail, it prints a fingerprint. Rather than including a whole
fingerprint for each of the five attempts, it consolidates them into
one fingerprint. In the process, it removes test lines where nothing
changed. So when you see:
> (*) SEQ(SP=102%GCD=1%ISR=10A%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=102%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=FF%GCD=1%ISR=10C%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=FD%GCD=1%ISR=10F%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=101%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
> OPS(O1=M5B4W0NSLL%O2=M578W0NSLL%O3=M280W0L%O4=M1F4W0NSLL%O5=M218W0NSLL%O
> 6=M109SLL)
> WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)
That means that the SEQ tests showed changes every time, but you only
see one OPS and one WIN line because those didn't vary during the 5 OS
detection runs.
And yes, it is a bit strange when you see a target responding
different ways to the same probe. But it isn't all that uncommon.
I hope this helps! BTW, you should upgrade to 4.85BETA9. We don't
even distribute 4.76 any more from the download page since it is about
8 months old. We're planning a new stable release soon. We now have
more than 2,000 OS detection fingerprints!
Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic