Cisco switch SG350 recognized OS as Windows


I was faced with the wrongly recognized OS on Cisco switch SG350 which was marked as Windows OS. Therefore was applied a few vulnerabilities which were false positives. The highest is “OpenSSH Multiple Vulnerabilities Jan17 (Windows)” on port 22. I´m not sure which can cause this behavior, but my nmap -O -v give me:

OS fingerprint not ideal because: Host distance (7 network hops) is greater than five
No OS matches for host
Network Distance: 7 hops

My question is how to force for one IP a suggestion of related OS?

Thanks for any suggestions.

I dig deeper into this OS fingerprint result via Nmap, which is probably used in the Greenbone scan.

I need to specify more Nmap switches in scan settings to prevent OS gues with irrelevant results.

I need to add “nmap -sV -O -T5” to use these switches permanently.

Is Nmap feature hardcoded? Or how to achieve these changes?

Thanks for any suggestions.

I found this option - Scan Config NVT Ping Host - where is defined Nmap timing policy.

For me would be sufficient to change it to “Insane” which means -T5 in Nmap command.

T0 T1 T2 T3 T4 T5
Name Paranoid Sneaky Polite Normal Aggressive Insane
min-rtt-timeout 100 100 100 100 100 50
max-rtt-timeout 300,000 15,000 10,000 10,000 1,250 300
initial-rtt-timeout 300,000 15,000 1,000 1,000 500 250
max-retries 10 10 10 10 6 2
Initial (and minimum) scan delay (--scan-delay) 300,000 15,000 400 0 0 0
Maximum TCP scan delay 300,000 15,000 1,000 1,000 10 5
Maximum UDP scan delay 300,000 15,000 1,000 1,000 1,000 1,000
host-timeout 0 0 0 0 0 900,000
min-parallelism Dynamic, not affected by timing templates
max-parallelism 1 1 1 Dynamic Dynamic Dynamic
min-hostgroup Dynamic, not affected by timing templates
max-hostgroup Dynamic, not affected by timing templates
min-rate No minimum rate limit
max-rate No maximum rate limit
defeat-rst-ratelimit Not enabled by default

Who is facing the same behavior regarding wrong OS detection, this should be an easy workaround how to refine the test.

1 Like

Very cool @heewey, I’m glad you got it working and thank you for sharing the solution. :slight_smile: