Home page logo

basics logo Security Basics mailing list archives

Re: When nmap can't ID the OS...
From: Faleh Daoud Abdel Monem <abdelmonem () webone-tunisie com>
Date: Tue, 14 Dec 2004 19:02:32 +0100

Jimi Thompson wrote:
Are you by any chance running NMAP on Windows?  If so, you might try
using the Linux/Unix version instead and see if you don't get better

2 cents,


On 27 Nov 2004 19:27:16 -0000, H Carvey <keydet89 () yahoo com> wrote:

In-Reply-To: <200411261640.23084.dflists () iinet net au>

What could be up with the remote machine that stops nmap IDing the OS it is


Well, the info at NetCraft could have been spoofed, or old.  The system using that IP could have at one time been running 
the OS/web server identified, but perhaps no longer.  And without knowing more about what arguments you used for nmap, and 
the actual output, it might be difficult to tell you why nmap couldn't figure it out...there are several possibilities 


"Windows Forensics and Incident Recovery"


Hi list,

First of all I'm sorry about this late reply.
Thought the discussion has gone about if Nmap is able to reliably identify a remote OS, if you permit it lets review what’s basically OS fingerprinting:

All is about TCP/IP packets when it come to guess the remote OS system, different systems has different TCP/IP stacks, so if you can get a packet from one system and match it against known patterns or behavior (how many SYN packets are send to tray establishing a connection, delay between packets, response to erroneous packets …) you may guess the OS it’s running. How to get this packet to analyze it is what make the difference between a so called active and passive finger printing. Passive finger printing is basically collecting packets (TCPdump or any that can do) and studying them to find a matching with different OS special setting in IP or TCP headers, this is widely covered in Toby Miller sans.org paper in it’s 2 parts (http://www.sans.org/rr/special/index.php?id=passiveos http://www.sans.org/rr/special/index.php?id=passiveos2). Active fingerprinting technique involve sending regular (usually SYN) packets or special crafted (SYN|FIN) ounces in order to trigger some errors on the remote systems and look into their replays, thought this is the way Nmap and many others active fingerprinting tools work, a look at Fyodor paper on Nmap Remote OS Detection (http://www.insecure.org/nmap/nmap-fingerprinting-article.html) gives a good explication of the techniques. Also performing basic ports scanning and banners collect, would give some informations but this is no that much accurate since today daemons become available for a wide range of Oss.

Thought many OS have parameters that can be tweaked to limit the leak of informations used by those tools if not stop it at all, they may also fool the tool to not be able to identify the remote OS. If anyone has experience tweaking them with some success it would be useful for all of us. I just can remember about some option when compiling a new FreeBSD kernel about to allow response to SYC|FIN packets as this violate the TCP Three Way Handshake ( sorry for not providing it cuz I don’t have a FreeBSD Box know at hand to verify).

Best Regards.

Daoud AbdelMonem Faleh             WebOne S.A.R.L eBusiness solutions
System Admin.

Tel:    +216 71 784 726        21 Rue Ibn Badis
Fax:    +216 71 894 326        1002 Tunis / Tunisia
abdelmonem () webone-tunisie com           http://www.webone.com.tn

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]