Home page logo

nmap-dev logo Nmap Development mailing list archives

OpenSSH hpn detection
From: Matt Selsky <selsky () columbia edu>
Date: Tue, 30 Oct 2007 01:55:12 -0400

When I updated to the 2007q3 service-probes in SVN r5980, I started 
having service info problems.

# ./nmap -O -p22,23 -sV mustard

Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2007-10-30 01:37 EDT

Interesting ports on mustard (xx.xx.xx.xx):
22/tcp open   ssh     OpenSSH 4.7p1-hpn12v17 (protocol 2.0)
23/tcp closed telnet
Device type: general purpose
Running (JUST GUESSING) : Sun Solaris 9|10 (90%)
Aggressive OS guesses: Sun Solaris 9 or 10 (SPARC) (90%), Sun Solaris 9 
or 10 (89%), Sun Solaris 9 (SPARC) (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime: 24.216 days (since Fri Oct  5 20:26:49 2007)
Network Distance: 7 hops
Service Info: OS: HP-UX

OS and Service detection performed. Please report any incorrect results 
at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.299 seconds

This device is in fact running Solaris 9/SPARC.  The problem seems to be 
that an OpenSSH with "-hpn" in the version string now assumes 

The -hpn string comes from the High Performance Networking patches for 
OpenSSH (http://www.psc.edu/networking/projects/hpn-ssh/) and has 
nothing to do with HP-UX.

Also the -hpn should have a number after it, but not all of the service 
fingerprints do.  I guess those are from a different set of OpenSSH 


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]