OS detection changes depending on -n flag #2370

digininja · 2021-09-15T11:15:05Z

Describe the bug
When I run OS identification, if I use -n I get no matches for the OS, if I don't use it, I get a confident Server 2016.

To Reproduce

With -n

└─$ sudo nmap -O 10.x.x.x -n
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 07:03 EDT
Nmap scan report for 10.x.x.x
Host is up (0.00024s latency).
Not shown: 985 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2000/tcp open  cisco-sccp
3389/tcp open  ms-wbt-server
5060/tcp open  sip
6000/tcp open  X11
6001/tcp open  X11:1
6003/tcp open  X11:3
6004/tcp open  X11:4
6005/tcp open  X11:5
6006/tcp open  X11:6
6007/tcp open  X11:7
6009/tcp open  X11:9
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=9/15%OT=80%CT=1%CU=34805%PV=Y%DS=2%DC=I%G=Y%TM=6141D31
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=110%TI=I%TS=A)OPS(O1=M5B4NW
OS:8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5
OS:B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%
OS:T=7F%W=2000%O=M5B4NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=7F%S=O%A=S+%F=AS%RD=0%Q=)
OS:T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=
OS:N)T7(R=N)U1(R=Y%DF=N%T=7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G
OS:)IE(R=N)

Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.35 seconds

Without it:

└─$ sudo nmap -O 10.x.x.x
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 07:04 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.x.x.x
Host is up (0.00028s latency).
Not shown: 985 closed ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2000/tcp open  cisco-sccp
3389/tcp open  ms-wbt-server
5060/tcp open  sip
6000/tcp open  X11
6001/tcp open  X11:1
6003/tcp open  X11:3
6004/tcp open  X11:4
6005/tcp open  X11:5
6006/tcp open  X11:6
6007/tcp open  X11:7
6009/tcp open  X11:9
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.51 seconds

Expected behavior
OS detection should not rely on whether I can get the name for the host from the DNS server.

Version info (please complete the following information):

└─$ nmap --version                                         
Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1g libssh2-1.8.0 libz-1.2.11 libpcre-8.39 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

└─$ nmap --iflist
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 07:09 EDT
************************INTERFACES************************
DEV     (SHORT)   IP/MASK                     TYPE     UP MTU   MAC
lo      (lo)      127.0.0.1/8                 loopback up 65536
lo      (lo)      ::1/128                     loopback up 65536
eth0    (eth0)    10.x.x.x/21           ethernet up 1500  00:50:5x
eth0    (eth0)    fe80::xxxxx2/64 ethernet up 1500  00:50:5x
docker0 (docker0) 172.x.x.x1/16               ethernet up 1500  02:42x

**************************ROUTES**************************
DST/MASK                     DEV     METRIC GATEWAY
10.x.x.x/21              eth0    0
172.x.x.x/16                docker0 0
0.0.0.0/0                    eth0    0      10.x.x.x
::1/128                      lo      0
fxxx2/128 eth0    0
::1/128                      lo      256
fe80::/64                    eth0    256
ff00::/8                     eth0    256

OS is Kali just updated.

Additional context
I have all the nameservers disabled in resolv.conf as they are very slow to resolve addresses and that is causing a lot of tools to break or just take forever to run.

The text was updated successfully, but these errors were encountered:

dmiller-nmap · 2021-09-16T16:20:50Z

The fingerprint shown is only off by 1 from the SEQ.ISR value in the reference fingerprint. I've expanded that fingerprint to be able to match this observation. I'm not sure why DNS resolution had anything to do with it, especially since Nmap didn't end up doing any reverse-DNS in either case.

digininja · 2021-09-16T16:47:03Z

Could it be the DNS lookup does something to the network stack so it is in a slightly different state when the module runs? I've got access to the host till a week tomorrow so happy to rescan it if you want any debug.

…

On Thu, 16 Sep 2021, 17:21 Daniel Miller, ***@***.***> wrote: The fingerprint shown is only off by 1 from the SEQ.ISR value in the reference fingerprint. I've expanded that fingerprint to be able to match this observation. I'm not sure why DNS resolution had anything to do with it, especially since Nmap didn't end up doing any reverse-DNS in either case. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2370 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWIM7SML3YTXMG3TAGLUCIKO3ANCNFSM5ECGKUWA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

digininja · 2021-09-17T08:43:18Z

I did the patch and rescanned the host and nmap is now sure it is 2016 both with and without DNS checks. Thanks

…

On Thu, 16 Sept 2021 at 18:09, Nmap Project SVN Sync < ***@***.***> wrote: Closed #2370 <#2370> via ac4484e <ac4484e> . — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2370 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4SWKLOKYMMORJC3KQMLTUCIQEBANCNFSM5ECGKUWA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

digininja added the Nmap label Sep 15, 2021

nmap-bot closed this as completed in ac4484e Sep 16, 2021

mzet- pushed a commit to mzet-/Nmap-for-Pen-Testers that referenced this issue Dec 20, 2021

Expand OS match. Fixes nmap#2370

8aab221

nmap deleted a comment Apr 12, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OS detection changes depending on -n flag #2370

OS detection changes depending on -n flag #2370

digininja commented Sep 15, 2021

dmiller-nmap commented Sep 16, 2021

digininja commented Sep 16, 2021 via email

digininja commented Sep 17, 2021 via email

OS detection changes depending on -n flag #2370

OS detection changes depending on -n flag #2370

Comments

digininja commented Sep 15, 2021

dmiller-nmap commented Sep 16, 2021

digininja commented Sep 16, 2021 via email

digininja commented Sep 17, 2021 via email