0

I was checking the security of a server by running Nmap. Last time it gives me the following results, indicating that OS could not be fingerprinted: 

PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 5.2 23/tcp filtered telnet 25/tcp filtered smtp 80/tcp filtered http 443/tcp open ssl/http Nginx 1433/tcp filtered ms-sql-s 3306/tcp filtered mysql 8080/tcp filtered http-proxy OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host

I did the same scan using the same Nmap version recently, however this time it reports some possible OS prediction:

PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 25/tcp filtered smtp 80/tcp open http Nginx 443/tcp open ssl/http Nginx 1433/tcp filtered ms-sql-s 3306/tcp filtered mysql 8080/tcp filtered http-proxy Device type: storage-misc|general purpose Running (JUST GUESSING): Microsoft Windows PocketPC/CE|2000|XP|NT (92%)... OS CPE: cpe:/o:microsoft:windows_ce cpe:/o:microsoft:windows_2000::sp4 ... Aggressive OS guesses: AT&T U-Verse set-top box (Windows CE 5.0) (92%), Microsoft Windows... No exact OS matches for host (test conditions non-ideal).

For both cases, all TCP ports are either filtered or open. Why does Nmap not report a missing closed TCP port in the second case? And does it rely on a closed TCP port to do OS fingerprinting?

Improve this question
1
  • why are you running nmap from a from a pentest website and not yourself? You have no idea how the server that is hosting the nmap has been configured. Run nmap on your own and then come back with questions. Commented Sep 20, 2014 at 1:02

2 Answers 2

Reset to default
2

I've already written an answer to another question that details all the reasons a fingerprint may be non-ideal, but the short answer is yes, Nmap requires a closed TCP port to get the best match. But I'd guess that there are other things interfering with your scan if it's showing Nginx running on Windows CE.

Based on your output, I'd guess that the first scan used -d or -vv, but the second scan did not. The logic in output.cc says that the "No exact OS matches for host (test conditions non-ideal)." line only gets printed if there is a "reason", but the only condition under which the "reason" is not shown is if verbose is less than or equal to 1 and debugging is not turned on.

Improve this answer
0

Below is my response, i pressume you're not scanning out of malicious intent and your question is thus legit. I hold no responsibility for whatever you deduce or what actions may follow based on this post.

In short, no. NMap relies on typical timing, sequences and other identifiers to perform OS fingerprinting. It i also easily thwarted by the in-between network configurations, host specific 'tweaks' etc.

It would be informative for you to provide us with the exact NMap commands uses to scan the server, please do anonymize your target's IP address. There are more then one flag to initiate OS fingerprinting and these do not do the same and will return different results.

If this machine is not in a network you manage it might be there was a security device in between which counters OS fingerprinting. Running the same scan a few times will keep giving different OS fingerprints, including 'none'.

Improve this answer
1
  • Seriously ? This is bogus, sorry, i'm not commenting anymore. I have the impression you're fooling someone if not yourself. Commented Sep 19, 2014 at 15:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.