Linux vs. Windows results

Discussion:

Sandro Poppi

2009-11-09 12:58:12 UTC

Hi,

I ran into an interesting (weird?) behaviour of os detection of nmap v5.00:

Sometimes (not always) I get inaccurate results when I scan from a linux box while doing the same scan from a Windows XP box the os detection is perfect.

E.G. scanning a Windows 2003 Server SP2 (nmap -O -sSU -T4 <target>):

Linux: No exact OS matches
Windows: OS Details: Microsoft Windows Server 2003 SP1 or SP2

Scanner:
Linux: Fedora 11 with Fedora nmap rpm
Windows XP SP3: nmap.exe from nmap.org, WinPCap 4.0.2

nmap-os-db is identical on both systems

I haven't found anything similiar in the archive so I wonder if it's only me having this issue or if anyone else also has seen it, and ideally what the solution would be.

Thank you for your time,
Sandro

--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

Sandro Poppi

2009-11-09 16:08:20 UTC

Permalink

Hi again,

It seems I don't run into a Linux vs Windows but nmap vs vmware issue ;)

I set up a new linux box and it worked instantly. Only difference now is the other linux is running under vmware.

Anyway I can't explain why this happens. Or is it as simple as "Don't run nmap under vmware"?

Thanks,
Sandro

-------- Original-Nachricht --------

Datum: Mon, 09 Nov 2009 13:58:12 +0100
Betreff: Linux vs. Windows results
Hi,
Sometimes (not always) I get inaccurate results when I scan from a linux
box while doing the same scan from a Windows XP box the os detection is
perfect.
Linux: No exact OS matches
Windows: OS Details: Microsoft Windows Server 2003 SP1 or SP2
Linux: Fedora 11 with Fedora nmap rpm
Windows XP SP3: nmap.exe from nmap.org, WinPCap 4.0.2
nmap-os-db is identical on both systems
I haven't found anything similiar in the archive so I wonder if it's only
me having this issue or if anyone else also has seen it, and ideally what
the solution would be.
Thank you for your time,
Sandro
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

Ron

2009-11-09 16:10:15 UTC

Permalink

That's interesting, because a significant number of people (myself
included) run it almost exclusively under VMWare. I'd like to rule out
VMWare as the cause, but you never know.

Post by Sandro Poppi
Hi again,
It seems I don't run into a Linux vs Windows but nmap vs vmware issue ;)
I set up a new linux box and it worked instantly. Only difference now is the other linux is running under vmware.
Anyway I can't explain why this happens. Or is it as simple as "Don't run nmap under vmware"?
Thanks,
Sandro
-------- Original-Nachricht --------

DePriest, Jason R.

2009-11-10 03:38:58 UTC

Permalink

Could it be possible that you are overwhelming the network adapter
translation from virtual-NIC to physical NIC?

Do you have the vmware tools installed on the linux guest? What
virtual hardware for the NIC is it using and what module to you have
loaded for the driver?

Are you using NAT or bridged networking?

I have had problems with scanning from a host to a guest OS when the
guest OS doesn't have the vmware tools available. For example, if I
scan a BeOS guest OS from my Windows host, I have to turn the timing
way down or the BeOS guest locks up.

-Jason

Sandro Poppi

2009-11-10 13:03:48 UTC

Permalink

Post by DePriest, Jason R.
Could it be possible that you are overwhelming the network adapter
translation from virtual-NIC to physical NIC?

Not sure but I doubt.

Post by DePriest, Jason R.
Do you have the vmware tools installed on the linux guest? What
virtual hardware for the NIC is it using and what module to you have
loaded for the driver?

I can't install vmware-tools since with Fedora 11 I get compile errors. I installed open-vm-tools though, but that didn't help.

The NIC's module is e1000

Post by DePriest, Jason R.
Are you using NAT or bridged networking?

It's bridged.

Sandro

--
DSL-Preisknaller: DSL Komplettpakete von GMX schon für
16,99 Euro mtl.!* Hier klicken: http://portal.gmx.net/de/go/dsl02

David Fifield

2009-11-10 00:17:19 UTC

Permalink

Post by Sandro Poppi
Sometimes (not always) I get inaccurate results when I scan from a
linux box while doing the same scan from a Windows XP box the os
detection is perfect.
Linux: No exact OS matches
Windows: OS Details: Microsoft Windows Server 2003 SP1 or SP2

This could be caused by different network conditions between the two
scanning machines and the target. Are they all on the same network?

Does the Linux scan print out a fingerprint? If so, then it probably had
a very close, but not exact, match. Try adding the --osscan-guess option
to force it to be printed.

David Fifield

Sandro Poppi

2009-11-10 13:07:58 UTC

Permalink

Post by David Fifield
This could be caused by different network conditions between the two
scanning machines and the target. Are they all on the same network?

no, the vmware is "nearer" (5 hops), the "native" linux is 9 hops.

Post by David Fifield
Does the Linux scan print out a fingerprint? If so, then it probably had
a very close, but not exact, match. Try adding the --osscan-guess option
to force it to be printed.

Yes, it does, but even with --osscan-guess it's not fitting in any way.

Sandro

--
DSL-Preisknaller: DSL Komplettpakete von GMX schon für
16,99 Euro mtl.!* Hier klicken: http://portal.gmx.net/de/go/dsl02