[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nmap-dev
Subject:    Re: Nmap output behavior question
From:       Fyodor <fyodor () insecure ! org>
Date:       2009-05-23 1:00:40
Message-ID: 20090523010040.GJ438 () syn ! lnxnet ! net
[Download RAW message or body]

On Fri, May 22, 2009 at 09:28:05AM -0400, Thomas Tavaris J (Tavaris) wrote:
> Hi devs,
> 
> I realize that I am not running the most recent version of Nmap (using
> 4.76) but while running various scans I noticed strange results being
> reported when generating the fingerprint of the remote host.
> In particular the SEQ, IE test, and U1 are reporting multiple results
> from the generated fingerprint., (i.e. one IE(R=Y....) and a IE(R=N) for
> the same host?!?!?!?! multiple SEQ and U1 lines (see below), etc
> Could anyone explain this? 

Hi Tavaris.  Nmap repeats the whole OS detection process against a
target as many as five times to try and get a match.  If they all
fail, it prints a fingerprint.  Rather than including a whole
fingerprint for each of the five attempts, it consolidates them into
one fingerprint.  In the process, it removes test lines where nothing
changed.  So when you see:

> (*) SEQ(SP=102%GCD=1%ISR=10A%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=102%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=FF%GCD=1%ISR=10C%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=FD%GCD=1%ISR=10F%TI=Z%II=RI%TS=U)
> (*) SEQ(SP=101%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
> OPS(O1=M5B4W0NSLL%O2=M578W0NSLL%O3=M280W0L%O4=M1F4W0NSLL%O5=M218W0NSLL%O
> 6=M109SLL)
> WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)

That means that the SEQ tests showed changes every time, but you only
see one OPS and one WIN line because those didn't vary during the 5 OS
detection runs.

And yes, it is a bit strange when you see a target responding
different ways to the same probe.  But it isn't all that uncommon.

I hope this helps!  BTW, you should upgrade to 4.85BETA9.  We don't
even distribute 4.76 any more from the download page since it is about
8 months old.  We're planning a new stable release soon.  We now have
more than 2,000 OS detection fingerprints!

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic