OS detection in poor conditions
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
OS detection in poor conditions
by Andrew Johnston-3
::
Rate this Message:
Hello-
I noticed throughout my scans that whenever a machine's OS seems to be unknown, Nmap reports it as a firewall running ZyXEL ZyNOS or Prestige. I would understand if the scan was close enough (like if it was a ZyXEL router), but a lot of times it seems to be way off. As an example, I have provided a scan. # Nmap 5.00 scan initiated Tue Nov 10 22:51:33 2009 as: nmap -O -oN example.txt -PN fake.domain Interesting ports on fake.domain (192.168.1.1) Not shown: 923 closed ports, 69 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 995/tcp open pop3s 3306/tcp open mysql Device type: firewall Running: ZyXEL ZyNOS 3.X OS details: ZyXEL ZyWALL 2 or Prestige 660HW-61 ADSL router (ZyNOS 3.62) OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done at Tue Nov 10 22:52:58 2009 -- 1 IP address (1 host up) scanned in 86.14 seconds Of course, I removed any sensitive information. But I know the device is not actually a ZyXEL firewall, but a Red Hat 9 server. Is this a type of default that I can disable? It has been messing me up. Thanks in advance. -- Andrew Johnston _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ |
|
|
Re: OS detection in poor conditions
by David Fifield
::
Rate this Message:
On Tue, Nov 10, 2009 at 10:56:41PM -0500, Andrew Johnston wrote:
> Hello- > I noticed throughout my scans that whenever a machine's OS seems to be > unknown, Nmap reports it as a firewall running ZyXEL ZyNOS or Prestige. I > would understand if the scan was close enough (like if it was a ZyXEL > router), but a lot of times it seems to be way off. As an example, I have > provided a scan. > # Nmap 5.00 scan initiated Tue Nov 10 22:51:33 2009 as: nmap -O -oN > example.txt -PN fake.domain > Interesting ports on fake.domain (192.168.1.1) > Not shown: 923 closed ports, 69 filtered ports > PORT STATE SERVICE > 22/tcp open ssh > 53/tcp open domain > 80/tcp open http > 110/tcp open pop3 > 143/tcp open imap > 443/tcp open https > 995/tcp open pop3s > 3306/tcp open mysql > Device type: firewall > Running: ZyXEL ZyNOS 3.X > OS details: ZyXEL ZyWALL 2 or Prestige 660HW-61 ADSL router (ZyNOS 3.62) > OS detection performed. Please report any incorrect results at > http://nmap.org/submit/ . > # Nmap done at Tue Nov 10 22:52:58 2009 -- 1 IP address (1 host up) scanned > in 86.14 seconds > Of course, I removed any sensitive information. But I know the device is > not actually a ZyXEL firewall, but a Red Hat 9 server. > Is this a type of default that I can disable? It has been messing me up. Thanks for your report. The fingerprint you're seeing isn't a default, but it is fairly broad. It would help if you could run OS detection with the -d option (so a fingerprint is printed) and send it to me along with the output of "uname -a" on the server. That way I can find a way to differentiate the prints. Normally I would tell you to submit an OS correction at http://insecure.org/cgi-bin/submit.cgi?corr-os, but we just pulled off the submission queue yesterday to do OS integration, and it wouldn't get in this round. You can disable the print just by commenting it out in the nmap-os-db file. It's currently (as of r16028) at line 35791, seventh from the bottom of the file. Just search the file for "ZyWALL 2". David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ |
| Free embeddable forum powered by Nabble | Forum Help |
