Incorrect OS detection

nigelw · August 13, 2019, 11:54am

We have a number of systems where device OS is being incorrectly identified as HP Jet Direct.

So far, we have found all of our Juniper Trapeze servers and some Aerohive wifi access points have been identified incorrectly. Some Aerohive access points are correctly shown as using HiveOS, even though all of the Aerohive points are identical.

What is the best way to get this corrected? Is there some information I could obtain and forward to get the detection process improved?

Thanks!

ckuerste · August 14, 2019, 2:21am

Depending on the available detection VTS, open ports etc. the OS detection might be just a best guess e.g. from nmap. The VTS “OS Detection Consolidation and Reporting” (OID 1.3.6.1.4.1.25623.1.0.105937) should have some further information on what base this guessing is done.

There are currently no detection available for Juniper Trapeze that’s why the OS detection is not accurate. We always appreciate information about such devices like open ports and service responses (e.g. curl output) to improve detection. You can PM me if you don’t want to put this public. Same goes for Aerohive.

nigelw · August 29, 2019, 11:50am

Hi, sorry for the delay in replying. Looking at the Greenbone detection results for one of our Trapeze servers, shows the following:-

Detection Result

Best matching OS: OS: HP JetDirect CPE: cpe:/h:hp:jetdirect Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting) Concluded from ICMP based OS fingerprint Setting key “Host/runs_unixoide” based on this information

Detection Method

Details:	OS Detection Consolidation and Reporting OID: 1.3.6.1.4.1.25623.1.0.105937
Version used:	2019-08-07T09:13:21Z

If I then run curl against the same Trapeze server, I get the following:-

HTTP/1.1 404 Not Found
Date: Aug 29, 11:34:04.291
Server: TreeNeWS/0.0.1
Mime-Version: 1.0
Content-Length: 173
Content-Type: text/html

Is this sort of information useful? I’m not familiar with curl so I may not be doing this right.
If you could let me know what curl options would produce more useful information, I’m happy to run it against any of our incorrectly identified servers so that detection can be improved.

Regards

cfi · August 30, 2019, 9:22am

Thanks for providing this information. The Server: TreeNeWS/0.0.1 banner seems to be quite common for embedded Linux/Unix systems running on devices like Enterasys RBT-8200, 3Com WX2200 or the mentioned Juniper Trapeze.

Based on this we could add some basic Linux/Unix OS Detection.

More detailed OS detection could be possible when providing the additional output of “Unknown OS and Service Banner Reporting (OID: 1.3.6.1.4.1.25623.1.0.108441)” (like described in Call for info: Unknown OS and Service Banner Reporting) and the HTML output of a possible login page gathered via curl with a call like e.g.:

curl -i example.com -o login_page

Please make sure that the login_page file doesn’t contain any sensitive information.

nigelw · August 30, 2019, 10:53am

Hi,

Running that curl command on the same Trapeze server doesn’t give much more detail (I’ve removed the actual IP address):

HTTP/1.1 302 OK
Date: Aug 30, 10:20:39.919
Server: TreeNeWS/0.0.1
Mime-Version: 1.0
Location: https://x.x.x.x/index.html
Content-Length: 67
Content-Type: text/html

Redirect

The actual page displayed is very simple and the source for this page doesn’t seem to include any identifying characteristics – even the graphic is just called logo.gif with alt=”Company Logo”. I have attached the html & screenshot.

I’ve also attached a file containing the detection outputs from “Unknown OS and Service Banner Reporting (OID: 1.3.6.1.4.1.25623.1.0.108441)”.

Thanks!
Trapeze Trapeze login page.txt (1.4 KB) Trapeze detection.txt (5.5 KB)

cfi · August 30, 2019, 1:36pm

Thanks for providing this detailed information.

These are more then enough and i have raised an internal ticket with those information so that a product detection including the detection of the OS is implemented for such devices.

cfi · September 6, 2019, 2:02pm

A few improvements have been done which should be included in the feed as of today:

Basic OS Detection capabilities for such devices based on the Telnet, SSH and HTTP banner where added to GSF and GCF.
More advanced OS Detection capabilities for such devices based on some additional HTTP identifiers where added to the GSF only.

cfi · September 7, 2019, 12:59pm

As an additional note, the changes above are only valid for Juniper/Trapeze devices.

It’s still unclear why the Aerohive points are partly not detected as such. The detection for these devices are happening via HTTP at the /index.php5 URL, maybe you can provide similar information like previously requested for these devices?

nigelw · September 9, 2019, 12:07pm

Most of the Aerohive units are ok. It looks like the ones that are identified as HP printers, do not have an accessible login page. I’m investigating why that is. The curl output from all of them is
HTTP/1.1 302 Found
Date: Mon, 09 Sep 2019 11:32:48 GMT
Server: Hiawatha v9.6
Connection: keep-alive
X-XSS-Protection: 1;mode=block
X-Frame-Options: sameorigin
Transfer-Encoding: chunked
Status: 302 Moved Temporarily
Location:https://x.x.x.x/index.php5
Content-type: text/html

Incidentally, there’s currently no identifying graphic for HiveOS. Only the default question mark is shown. Is there any chance of getting a logo made for this?

Thanks.

cfi · September 9, 2019, 6:07pm

Thanks again for providing this information, the detection of HiveOS indeed requires the HTTP login page to be accessible.

There is currently no additional OS detection possible if no other detailed information/banners (like e.g. a SSH banner or similar) reported by e.g. Unknown OS and Service Banner Reporting (OID: 1.3.6.1.4.1.25623.1.0.108441)” is available.

In such case the ICMP based OS Detection is jumping in which is the most unreliable one (as seen in the detection of the OS as “HP JetDirect”.