On 12/21/06, doug_at_hcsw.org <doug_at_hcsw.org> wrote:
[snip]
> When you execute a version scan (-sV or -A) Nmap will also fingerprint
> *services* at the *application layer* which, it turns out, is often a
> fairly robust, reliable OS fingerprinting method. I rarely ever use -O
> on my own machines because of the verbose information most OpenSSH
> daemons are configured to give:
>
> $ ./nmap -sV -p 22 localhost
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2006-12-21 14:22 PST
> Interesting ports on localhost.localdomain (127.0.0.1):
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 3.8.1p1 Debian 8.sarge.4 (protocol 2.0)
> Service Info: OS: Linux
>
> Similarly, Mac OS is easily recognised at the application layer
> through AFP/Apple remote desktop VNC, Windows through
> SMB/IIS/Exchange/etc, AIX through its "kerberised" rsh and so on.
>
> Doug
>
>
That makes me wonder if anyone has thought about a good way to
incorporate this sort of extra effort programatically into nmap.
It may be too much effort and be way out of scope of nmap and
something more suited for fat tools like Retina, Internet Scanner, and
Nessus.
I would hate to over complicate nmap and make it bloated and slow.
I don't know how much weight nmap puts on which ports are open as
opposed to just the responses it receives from ports that are open. I
also don't know how much weight nmap puts on the version information
that is discovered, if any at all.
-Jason
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Dec 21 2006
Intro
