Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
4
Replies

Strange NMAP behavior

Y C
Level 1
Level 1

‎08-02-2019 03:12 PM

We recently upgraded from 1.3 (no nmap probe option available) to 2.1 (defaults to policy nodes having nmap probe enabled).

 

Long story short - it's profiled a bunch of our devices improperly as cisco-router. Xerox & Ricoh printers, some apple devices, etc. Seems random. Apparently it gathered info that the device is a Cisco 3925 running this version IOS, or a 6506 running that version IOS...

 

How exactly does NMAP determine OS version? The probe description mentions it looks for open ports and OS version. Surely it relies on more then just open ports to determine a specific version.

 

 

 

operating-systemCisco 6506 router (IOS 12.2)
operating-system-resultCisco 6506 router (IOS 12.2)

 

 

operating-systemCisco 2811 router (IOS 12.2 - 12.4) (accuracy 95%)
operating-system-resultCisco 2811 router (IOS 12.2 - 12.4) (accuracy 95%)
0 Helpful
4 Replies 4

marce1000
Hall of Fame
Hall of Fame

‎08-03-2019 02:00 AM

 

 https://www.comparitech.com/net-admin/the-definitive-guide-to-nmap/#OS_Scanning

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Y C
Level 1
Level 1
In response to marce1000

‎08-03-2019 03:34 AM

Well, I guess what I should say is... regardless of what it uses, if it's this inaccurate what's the point? And the idea how it favors Cisco products is amusing. It's forgivable if it recognizes an ipad as an iphone... but a printer as a 6506? Really?

0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to Y C

‎08-03-2019 07:30 AM

If not enough ports are open, there is something called an aggressive OS lookup that is done causing the misinterpretation of the operating system. ISE uses the operating system guess from nmap.org. It is an open source resource for nmap implementation.
0 Helpful

Y C
Level 1
Level 1
In response to Surendra

‎08-05-2019 08:17 AM

operating-systemCisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)
operating-system-resultCisco Nexus 7000 switch (NX-OS 4.2.6) (accuracy 99%)

 

That's an apple device - so it thinks it's wild guess was 99% accurate.

 

Sounds like turning it off was the right thing to do. It's a surprise this is enabled by default if it's known wild guesses like this can happen.

0 Helpful
Customers Also Viewed These Support Documents