on our scans some hosts are incorrectly recognized as Windows by the VT
OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937
which seems to consider only the ICMP based OS Fingerprinting result:
Best matching OS:
OS: Microsoft Windows
CPE: cpe:/o:microsoft:windows
Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
Concluded from ICMP based OS fingerprint
Setting key "Host/runs_windows" based on this information
While the VT Unknown OS and Service Banner Reporting (OID: 1.3.6.1.4.1.25623.1.0.108441) correctly identifies the hosts as Linux. Why are no other results considered by the “OS Detection Consolidation” VT? Is there anything we can do to improve the detection?
I tried to disable the ICMP based VT within the scan configuration - however the VT will be executed anyways. Is there a way to disable a VT completely?
sorry for the late response. This is the output from OID: 1.3.6.1.4.1.25623.1.0.108441:
Detection Result
Unknown banners have been collected which might help to identify the OS running on this host. If these banners containing information about the host OS please report the following information to https://community.greenbone.net/c/vulnerability-tests:
Banner: # Nmap 7.91 scan initiated Fri Apr 16 08:06:03 2021 as: nmap -T4 -n -Pn -sV -oN /tmp/nmap-XXX.XXX.XXX.XXX-1626123675 -O --osscan-limit -p 443,80,8080,8443,21,22,25,135,139,445,19105,25099,37166 XXX.XXX.XXX.XXX
Nmap scan report for XXX.XXX.XXX.XXX
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
25/tcp closed smtp
80/tcp open http Apache httpd
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open ssl/http Apache httpd
445/tcp filtered microsoft-ds
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8443/tcp open http Apache Tomcat/Coyote JSP engine 1.1
19105/tcp closed unknown
25099/tcp closed unknown
37166/tcp closed unknown
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X|3.X|4.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3.10 cpe:/o:linux:linux_kernel:4.4
Aggressive OS guesses: Linux 2.6.32 (86%), Linux 2.6.32 or 3.10 (86%), Linux 4.4 (86%), Linux 4.0 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 9 hops
Service Info: Host: XXXXXXXXXXXXXXXXXX
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 16 08:06:22 2021 -- 1 IP address (1 host up) scanned in 19.51 seconds
Identified from: Nmap TCP/IP fingerprinting
The info from the log entry is currently unused for the OS detection:
We had such OS detection based on Nmap in the past but that did more bad then good for our purposes because the Nmap results are non-deterministic.
e.g. we have seen CPEs reported by Nmap in the past containing a Windows XP and a Windows 7 CPE or even ones which had reported a Linux and a Windows CPE side by side. The detection reliability of nmap also largely depends on the used Nmap version on the scanner host.
As the device in question doesn’t expose any other useful banner information concerning the OS you currently have two options:
Enable authenticated scans so that the OS can be determined in more detail
Disable the ICMP based OS detection in the related VT 1.3.6.1.4.1.25623.1.0.102002 via the Run routine script preference (this is enabled / set to yes by default but can be set to no to disable it.)