NMAP-how reliable is it?



  • I have just switched over to pfsense from dd-wrt x86.  I noticed something strange from one of my clients.  dhcp said that they were not active but bandwidthd was saying that a good bit of traffic was going to thier ip.  I installed nmap and scanned the ip address and got:
    Warning:  OS detection for 192.168.180.23 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    Insufficient responses for TCP sequencing (0), OS detection may be less accurate
    Insufficient responses for TCP sequencing (0), OS detection may be less accurate
    Interesting ports on 192.168.180.23:
    Not shown: 1696 filtered ports
    PORT    STATE SERVICE    VERSION
    3689/tcp open  rendezvous Apple iTunes 7.6.2
    MAC Address: 00:11:F5:77:E6:FF (Askey Computer)
    Device type: general purpose
    Running (JUST GUESSING) : OpenBSD 3.X (92%), Microsoft Windows 2003/.NET|NT/2K/XP (87%)
    Aggressive OS guesses: OpenBSD 3.6 x86 with pf "scrub in all" (92%), Microsoft Windows 2003 Server or XP SP2 (87%), Microsoft Windows 2000 SP3 (87%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 1 hop
    Service Info: OS: Windows

    OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
    Nmap finished: 1 IP address (1 host up) scanned in 65.886 seconds

    I am wondering if they have set up a proxy to be able to have more than one machine online on a single ip.  I know it has percentages above but I would like some feedback from someone that has used nmap before I kick them off the system.  Also, how much will a machine connecting via a wireless repeater change any of the above result?  I have a main access point that this client was just a little to far away to reach.  I had a belkin repeater that I setup for them.  The MAC listed above is the correct MAC for the clients computer (its not the repeater).



  • With only one open port and everything else filtered, you can't get a fully accurate OS detection.

    The MAC address is key here - Askey Computer is the manufacturer of the device. From the looks of the products on their website, it's most likely a wireless access point. http://www.askey.com.tw

    Further complicating OS detection is the fact that the open port is likely not open on the device itself I would guess, it's probably a port forward.

    The most likely situation is this is a wireless AP using NAT to connect multiple devices. If DHCP was showing it inactive, there's a good chance the person who installed it took whatever lease they were initially assigned and statically configured it.


Log in to reply