Recent Changes - Search:

PmWiki

pmwiki.org

edit SideBar

Nmap /

OSDetectionAnomalies

This is a very common network artifact, worth 75 points together. I have seen it with as few as three hops. 

U1.TOS: "0" NOMATCH "C0" (50 points)
IE.TOSI: "Z" NOMATCH "S" (25 points)

TTL anomalies happen with larger distances. This is from a Linux host six hops away: 

ECN.T: "3E" NOMATCH "40" (15 points)
T1.T: "3E" NOMATCH "40" (15 points)
T3.T: "3E" NOMATCH "40" (15 points)
T4.T: "3E" NOMATCH "40" (15 points)
T5.T: "3E" NOMATCH "40" (15 points)
T6.T: "3E" NOMATCH "40" (15 points)
T7.T: "3E" NOMATCH "40" (15 points)
U1.T: "3E" NOMATCH "40" (15 points)
IE.T: "3E" NOMATCH "40" (15 points)

Or from Windows 2003 five hops away: 

ECN.T: "81" NOMATCH "80" (15 points)
T1.T: "81" NOMATCH "80" (15 points)
T2.T: "81" NOMATCH "80" (15 points)
T3.T: "81" NOMATCH "80" (15 points)
T4.T: "81" NOMATCH "80" (15 points)
T5.T: "81" NOMATCH "80" (15 points)
T6.T: "81" NOMATCH "80" (15 points)
T7.T: "81" NOMATCH "80" (15 points)
U1.T: "81" NOMATCH "80" (15 points)
IE.T: "81" NOMATCH "80" (15 points)

The phenomenon where DS=1 but there is no MAC address happen occasionally, I think too frequently for it to be caused just by scanning on non-Ethernet networks. I think it caused by an incorrect hop calculation. It often comes with network artifacts: 

ECN.T: "3F" NOMATCH "40" (15 points)
T1.T: "3F" NOMATCH "40" (15 points)
T5.T: "3F" NOMATCH "40" (15 points)
U1.R: "Y" NOMATCH "N" (50 points)
IE.T: "100" NOMATCH "40" (15 points)
IE.TOSI: "S" NOMATCH "Z" (25 points)
Edit - History - Print - Recent Changes - Search
Page last modified on July 14, 2008, at 11:05 PM