If Nmap performs OS fingerprinting on a host and doesn't get a perfect OS matches despite promising conditions (such as finding both open and closed ports accessible on the target), Nmap prints a subject fingerprint that shows all of the test results that Nmap
Tests aren't shown when Nmap has no useful results, such as when the relevant probe responses weren't received. A special line named SCAN gives extra details about the scan (such as Nmap version number) that provide useful context for integrating fingerprint submissions into nmap-os-db. A typical subject fingerprint is shown in Example 8.3.
Example 8.3. A typical subject fingerprint
OS:SCAN(V=4.85BETA4%D=3/27%OT=22%CT=1%CU=44663%PV=N %DS=0%G=Y%TM=49CD5E4B%P= OS:i686-pc-linux-gnu)SEQ(SP=CB%GCD=1%ISR=CD%TI=Z%CI=Z %II=I%TS=8)OPS(O1=M400 OS:CST11NW5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11 NW5%O5=M400CST11NW OS:5%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5= 8000%W6=8000)ECN(R OS:=Y%DF=Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=)T1(R=Y%DF=Y %T=40%S=O%A=S+%F=AS OS:%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS %O=M400CST11NW5%RD= OS:0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O= %RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S= OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z %F=R%O=%RD=0%Q=)T7(R= OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N %T=40%IPL=164%UN=0%R OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N %T=40%CD=S)
Now you may look at this fingerprint and immediately understand what everything means. If so, you can simply skip this section. But I have never seen such a reaction. Many people probably think some sort of buffer overflow or unterminated string error is causing Nmap to spew garbage data at them. This section helps you decode the information so you can immediately tell that blind TCP sequence prediction attacks against this machine are moderately hard, but it may make a good idle scan (-sI) zombie. The first step in
understanding this fingerprint is to fix the line wrapping. The tests are all squished together, with each line wrapped at 71 characters. Then OS: is prepended to each line, raising the length to 74
characters. This makes fingerprints easy to cut and paste into the Nmap fingerprint submission form (see the section called “When
Nmap Fails to Find a Match and Prints a Fingerprint”). Removing the prefix and fixing the word wrapping (each line should end with a right parenthesis) leads to the cleaned-up version in Example 8.4.
Example 8.4. A cleaned-up subject fingerprint
SCAN(V=4.85BETA4%D=3/27%OT=22%CT=1%CU=44663%PV=N%DS=0%G=Y %TM=49CD5E4B% P=i686-pc-linux-gnu) SEQ(SP=CB%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%TS=8) OPS(O1=M400CST11NW5%O2=M400CST11NW5%O3=M400CNNT11NW5% O4=M400CST11NW5%O5=M400CST11NW5%O6=M400CST11) WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000) ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=) T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS %O=M400CST11NW5%RD=0%Q=) T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G %RUD=G) IE(R=Y%DFI=N%T=40%CD=S)
While this still isn't the world's most intuitive format (we had to keep it short), the format is much clearer now. Every line is a category, such as SEQ for the sequence generation tests, T3 for the results from that particular TCP probe, and IE for tests related to the two ICMP echo probes.
Following each test name is a pair of parentheses which enclose results for individual tests. The tests take the format
<testname>=<value>. All of the possible categories, tests, and values are described in the section called “TCP/IP Fingerprinting Methods Supported by Nmap”. Each pair of tests are separated by a percentage symbol (%). Tests values can be empty, leading to a percentage symbol or category-terminating right-parenthesis
immediately following the equal sign. The string “O=%RD=0%Q=)” in T4 of our example shows two of these empty tests. A blank test value must match another blank value, so this empty TCP quirks Q value wouldn't match a fingerprint with Q set to RU.
In some cases, a whole test is missing rather than just its value. For example, T2 of our sample fingerprint has no W (TCP window), S (sequence number), A (acknowledgment number), T (TTL), or TG (TTL guess) tests. This is because the one test and value it does include, R=N, means that no response was returned for the T2 probe. So including a window value or sequence number would make little sense. Similarly, tests which aren't well supported on the system running Nmap are skipped. An example is the RID (IP ID field returned in ICMP packet) test, which doesn't work well on Solaris because that system tends to corrupt the ID field Nmap sends out. Tests which are inconclusive (such as failing to detect the IP ID sequence for the TI, CI, and II tests) are also omitted.
Decoding the SCAN line of a subject fingerprint
The SCAN line is a special case in a subject fingerprint. Rather than describe the target system, these tests describe various conditions of the scan. These help us integrate fingerprints submitted to Nmap.Org. The tests in this line are:
• Nmap version number (V).
• Date of scan (D) in the form month/day.
• Open and closed TCP ports (on target) used for scan (OT and CT). Unlike most tests, these are printed in decimal format. If Nmap was unable to find an open or a closed port, the test is included with an empty value (even when Nmap guesses a possibly closed port and sends a probe there).
• Closed UDP port (CU). This is the same as CT, but for UDP. Since the majority of scans don't include UDP, this test's value is usually empty.
• Private IP space (PV) is Y if the target is on the 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 private networks (RFC 1918). Otherwise it is N.
• Network distance (DS) is the network hop distance from the target. It is 0 if the target is localhost, 1 if directly connected on an ethernet network, or the exact distance if discovered by Nmap. If the distance is unknown, this test is omitted.
• Good results (G) is Y if conditions and results seem good enough to submit this fingerprint to Nmap.Org. It is N
otherwise. Unless you force them by enabling debugging (-d) or extreme verbosity (-vv), G=N fingerprints aren't printed by Nmap.
• Target MAC prefix (M) is the first six hex digits of the target MAC address, which correspond to the vendor name. Leading
zeros are not included. This field is omitted unless the target is on the same ethernet network (DS=1).
• The OS scan time (TM) is provided in Unix time_t format (in hexadecimal).
• The platform Nmap was compiled for is given in the P field.