OS Detection only relies on false ICMP based fingerprinting


on our scans some hosts are incorrectly recognized as Windows by the VT

OS Detection Consolidation and Reporting

which seems to consider only the ICMP based OS Fingerprinting result:

Best matching OS:

OS:           Microsoft Windows
CPE:          cpe:/o:microsoft:windows
Found by NVT: (ICMP based OS Fingerprinting)
Concluded from ICMP based OS fingerprint
Setting key "Host/runs_windows" based on this information

While the VT Unknown OS and Service Banner Reporting (OID: correctly identifies the hosts as Linux. Why are no other results considered by the “OS Detection Consolidation” VT? Is there anything we can do to improve the detection?

I tried to disable the ICMP based VT within the scan configuration - however the VT will be executed anyways. Is there a way to disable a VT completely?

Kind regards


Yes, ICMP based OS fingerprinting is quite false positive prone and only the last resort if anything else fails.

Could you post the output from OID: so we can have a look to improve the detection?

1 Like


sorry for the late response. This is the output from OID:

Detection Result
Unknown banners have been collected which might help to identify the OS running on this host. If these banners containing information about the host OS please report the following information to https://community.greenbone.net/c/vulnerability-tests:

Banner: # Nmap 7.91 scan initiated Fri Apr 16 08:06:03 2021 as: nmap -T4 -n -Pn -sV -oN /tmp/nmap-XXX.XXX.XXX.XXX-1626123675 -O --osscan-limit -p 443,80,8080,8443,21,22,25,135,139,445,19105,25099,37166 XXX.XXX.XXX.XXX
Nmap scan report for XXX.XXX.XXX.XXX
Host is up (0.012s latency).

21/tcp    closed   ftp
22/tcp    closed   ssh
25/tcp    closed   smtp
80/tcp    open     http         Apache httpd
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
443/tcp   open     ssl/http     Apache httpd
445/tcp   filtered microsoft-ds
8080/tcp  open     http         Apache Tomcat/Coyote JSP engine 1.1
8443/tcp  open     http         Apache Tomcat/Coyote JSP engine 1.1
19105/tcp closed   unknown
25099/tcp closed   unknown
37166/tcp closed   unknown
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.4
Aggressive OS guesses: Linux 2.6.32 (86%), Linux 2.6.32 or 3.10 (86%), Linux 4.4 (86%), Linux 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 9 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 16 08:06:22 2021 -- 1 IP address (1 host up) scanned in 19.51 seconds
Identified from: Nmap TCP/IP fingerprinting

Thank you for any help!

The info from the log entry is currently unused for the OS detection:

We had such OS detection based on Nmap in the past but that did more bad then good for our purposes because the Nmap results are non-deterministic.

e.g. we have seen CPEs reported by Nmap in the past containing a Windows XP and a Windows 7 CPE or even ones which had reported a Linux and a Windows CPE side by side. The detection reliability of nmap also largely depends on the used Nmap version on the scanner host.

As the device in question doesn’t expose any other useful banner information concerning the OS you currently have two options:

  1. Enable authenticated scans so that the OS can be determined in more detail
  2. Disable the ICMP based OS detection in the related VT via the Run routine script preference (this is enabled / set to yes by default but can be set to no to disable it.)