Welcome, Guest. Please login or register.

Author Topic: OS detection, nmap use  (Read 5983 times)

steffen1

  • Guest
OS detection, nmap use
« on: January 20, 2010, 06:28:18 PM »
I find the idea of OS detection in v1.0.5 very good and valueable if it will work. But there are some drawbacks:
1. nmap is much toooooooo slow with the default nedi option
2. it need root priviledges or maybe it could be solved with sticky bit set at the nmap binary with the risk to loose this after an OS upgrade/patching and typical nobody knows why the functionality has been lost after.
3. dont know how stressful it is for targets

another valuable info we get from nmap-OS-fingerprinting is the Network Distance of the target.

I played a little bit with options and found "-sF -A" and "-sF -O", that takes just 8 second for one target.

Is this method valid or are there better alternatives as nmap for OS detection?


Quote
Original NeDi Options
# time nmap -sSU -F 172.16.10.111

Starting Nmap 4.20 ( http://insecure.org ) at 2010-01-14 02:33 CET
Stats: 0:00:55 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 5.31% done; ETC: 02:45 (0:11:07 remaining)
Stats: 0:00:56 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 5.41% done; ETC: 02:45 (0:11:08 remaining)
Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 5.70% done; ETC: 02:45 (0:11:12 remaining)
Stats: 0:01:02 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 6.10% done; ETC: 02:45 (0:11:15 remaining)
Stats: 0:01:05 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 6.49% done; ETC: 02:45 (0:11:18 remaining)
Stats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 6.69% done; ETC: 02:45 (0:11:19 remaining)
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 7.08% done; ETC: 02:45 (0:11:21 remaining)
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 7.67% done; ETC: 02:45 (0:11:22 remaining)

^C it takes toooo much time 1:16 minutes for 8% progress of only one node is not that, we will need

caught SIGINT signal, cleaning up

real    1m16.668s
user    0m0.004s
sys     0m0.004s
# time nmap -sF -A 172.16.10.111

Starting Nmap 4.20 ( http://insecure.org ) at 2010-01-14 02:34 CET
Warning:  OS detection for 172.16.10.111 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1697 scanned ports on 172.16.10.111 are closed
MAC Address: 00:19:06:95:BB:F8 (Cisco Systems)
Device type: router|switch
Running: Cisco IOS 12.X
OS details: Cisco 2500 router running IOS 12.1, Cisco 820-series router running IOS 12.3, Cisco Catalyst 3750 switch, IOS 12.2
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 8.149 seconds

real    0m8.168s
user    0m0.180s
sys     0m0.012s

(-O seams to be the same as -A)
# time nmap -sF -O 172.16.10.111

Starting Nmap 4.20 ( http://insecure.org ) at 2010-01-14 02:35 CET
Warning:  OS detection for 172.16.10.111 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1697 scanned ports on 172.16.10.111 are closed
MAC Address: 00:19:06:95:BB:F8 (Cisco Systems)
Device type: router|switch
Running: Cisco IOS 12.X
OS details: Cisco 2500 router running IOS 12.1, Cisco 820-series router running IOS 12.3, Cisco Catalyst 3750 switch, IOS 12.2
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 8.136 seconds

real    0m8.175s
user    0m0.164s
sys     0m0.024s

Real world problem for nmap usability at UNIX systems, the security-desaster chain at UNIX or
what has an access feature from local to remote to do with local security (analog to fping, check_icmp/Nagios, echoping ...):
=> for remote OS-Fingerprinting you need nmap
=> nmap need raw packets for OS-Fingerprinting
=> raw packets can only be pushed out with root-priviledges
admin> time nmap -sSU -F 172.16.10.111
You requested a scan type which requires root privileges.  Sorry dude.
admin> time nmap -sF -A 172.16.10.111
You requested a scan type which requires root privileges.  Sorry dude.