OS - Detection

peterulrich1972 · May 20, 2021, 8:17am

Hello,

I’m new to openvas. I’m using the community edition for test reasons and have a problem with the os-detection. I’m using openvas in kali linux in a VM on top of VMWare Workstation. I scanned different networks (about 100 Hosts) and I’m getting in many cases (80%) the OS “HP JetDirect” (cpe:/h:hp:jetdirect).

I’ve seen, that for this “ICMP based OS fingerprinting / detection.” (1.3.6.1.4.1.25623.1.0.102002) is responsible.

So I’ve duplicated the “System Discovery” Scan-Config and have disabled the ICMP product detection. I’ve also activated some other OS-Detections. But when I’m now using the new scan config I’m getting the same results. For this I’ve deleted all old data before a new scan with the new config.

In this context I’ve the following questions:

Why is the OS-Detection in my case so inaccurate (with nmap I’m getting a much better result). What I’m doing wrong?
Why is the ICMP based OS fingerprinting used in my new scan config. I’ve disabled this kind of detection.

Thanks.

Peter

cfi · May 20, 2021, 8:59am

Hello and welcome to this community.

There was some discussion around this topic a few weeks ago in the topic below:

peterulrich1972 · May 20, 2021, 9:24am

Hello and thank you for your answer.

I can understand that some detections may bee wrong. But in my case most of them are wrong.

Does this have any effects of further scans? For example I have started an old Windows Server 2008 VM and hopped this one will get identified as out of support or something like this? Also I have an old switch running with default credentials and some other issues which I hopped should be recognized. Is this a consequence of the faulty OS-detection? Or are the informations from the system discovery not taken for further scans?

Thanks.

Peter

cfi · May 20, 2021, 9:44am

Unfortunately this question is too generic / too broad to be able to answer. It highly depends on the targets and the vulnerabilities. e.g.:

some might depend on the correct OS detection while others don’t need this information
the vulnerabilities in question might be not covered at all
the vulnerabilities in question might be just covered by the commercial GSF feed (if you’re using the community / GCF feed)

peterulrich1972 · May 22, 2021, 5:52pm

Maybe, the high number of wrong OS-Detection is based on a faulty network driver or a problem with VMware NAT-mode. As I said before, I was surprised by the number of wrong OS-detections. I couldn’t image that a well-known software like openvas wouldn’t be able to detect the OS but tools like nmap, which seems to be used by openvas, are making a good job. So I’ve tested different Scan Configurations. Some with Credential some with different kinds of OS-detection. It results were very strange. Sometimes I got different results by doing the same thing and always clearing collected data before.
My VM is sometimes not able to reach another system in the network, when I’m starting a scan. Maybe it happens when a high number of connections are open at the same time. At this point it’s not even possible to open a connection to a webserver with curl.

I changed the interface mode to bridged and - surprise surprise – it works like a charm.

Thanks

Peter