Home page logo

nmap-dev logo Nmap Development mailing list archives

about -O option [Re: 2.54 beta 33 build on w2k]
From: Denis Ducamp <Denis.Ducamp () hsc fr>
Date: Sun, 28 Apr 2002 00:55:56 +0200

On Sat, Apr 27, 2002 at 02:31:57PM -0700, BlackHat . Info wrote:

I've tried to use nmap -v -sS -O -P0 -oN name.txt www.testsite.com to
gather port scan, identify OS and save to name.txt. I was not able to get
any success to identify OS version. I'm using the latest release of NMAP
running in RedHat machine. System is behind the firewall.

Any suggestion to correct this issue.

When you use -v and -O you have a line such as :

For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled

(ports numbers may change)
So you must have a hole in the firewall to permit to access to both ports
used by nmap to fingerprint.

Btw, Netcraft.com and SecuritySpace.com can provide a detailed OS
fingerprinting result. Will I be able to do this using NMAP tool?

Netcraft, IIRC, use a different technic :
 . headers of the http server,
 . ip/tcp options of the syn/ack packet replied by the http server.

Let me know how.

nmap fingerprinting works very well if there isn't any firewall between the
serveur and the scanner, but with a firewall some responses will not come
back to nmap and it will not work at all. Netcraft's method work in much
more situations because they only send packets to the 80/tcp port to http
servers but results are less precise.

You may use a passive fingerprinting tool to test throw a firewall or add an
option to nmap to give possible responses when packets are "lost" during the

Denis Ducamp.

.signature en deuil

For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]