Discussion:
Incorrect OS listed in OpenVAS - HP JetDirect
(too old to reply)
Adam Kauffman
2017-04-25 22:46:03 UTC
Permalink
To whom it may concern,
The NMAP banner is correct and the CPE based detection is wrong. The host is a Windows machine running Oracle Virtualbox. This system is listed as “Operating System: cpe:/h:hp:jetdirect” in OpenVAS.

<LOG CLIP>

Log (CVSS: 0.0)
NVT: OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)
Summary
This script consolidates the OS information detected by several NVTs and tries to find the best matching OS.
Furthermore it reports all previously collected information leading to this best matching OS. It also reports possible additional informations which might help to improve the OS detection.
If any of this information is wrong or could be improved please consider to report these to openvas-***@wald.intevation.org.
Vulnerability Detection Result
Best matching OS:

OS: HP JetDirect
CPE: cpe:/h:hp:jetdirect
Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
Concluded from ICMP based OS fingerprint:
(80% confidence)

HP JetDirect
Setting key "Host/runs_unknown" based on this information

Unknown banners have been collected which might help to identify the OS running on this host. If these banners containing information about the host OS please report the following information to openvas-***@wald.intevation.org:

Banner: # Nmap 7.40 scan initiated Tue Apr 25 20:56:48 2017 as: nmap -n -Pn -sV -oN /tmp/nmap-172.16.15.148-323665694 -O --osscan-limit -p 3389,1947,135,21,22,25,80,443,15731,21071,34840 172.16.15.148
Nmap scan report for 172.16.15.148
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
25/tcp closed smtp
80/tcp closed http
135/tcp open msrpc Microsoft Windows RPC
443/tcp closed https
1947/tcp open http Aladdin/SafeNet HASP license manager 18.00
3389/tcp open ms-wbt-server Microsoft Terminal Service
15731/tcp closed unknown
21071/tcp closed unknown
34840/tcp closed unknown
Device type: bridge|general purpose|switch
Running (JUST GUESSING): Oracle Virtualbox (96%), QEMU (94%), Cisco embedded (86%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu cpe:/h:cisco:css_11501
Aggressive OS guesses: Oracle Virtualbox (96%), QEMU user mode network gateway (94%), Cisco CSS 11501 switch (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 25 20:57:02 2017 -- 1 IP address (1 host up) scanned in 13.91 seconds
Identified from: Nmap TCP/IP fingerprinting

Banner: Server: HASP LM/18.00
Identified from: HTTP Server banner on port 1947/tcp
Log Method
Details: OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)
Version used: $Revision: 5435 $
</LOG CLIP>

Adam Kauffman
Process Engineer
Cascade Engineering Technologies, Inc.
14707 SE River Rd.
Milwaukie, OR 97267
(503) 653-7999
(503) 653-6788 fax
(503) 957-3442 cell
www.cmm-measure.com<http://www.cmm-measure.com/>
AS9100C & ITAR Registered

________________________________

WARNING - This document may contain technical data, export of which is restricted by the International Traffic in Arms Regulations (ITAR) and subject to Title 22 C.F.R. Part 120-130. Prior authorization is required from the U.S. Department of State/Directorate of Defense Trade Controls for release of this item, or any information in this item, to any foreign person or entity whether located in the United States or not. Disclosure to foreign persons without U.S. Government approval is prohibited. Violations of these export laws and regulations are subjected to severe civil and criminal penalties. Notice of Proprietary Rights - This document contains confidential technical and commercial data including trade secrets proprietary to Cascade Engineering Technologies, Inc. Disclosure of this data to you is expressly confidential upon your assent that its use is limited to use within your company only and that you and/or your company are the intended recipient(s). Any other use is strictly prohibited without prior written consent of Cascade Engineering Technologies, Inc.
NOTE - If you received this message in error, please notify the sender by reply e-mail and delete all copies of this message.

PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS E-MAIL
Antu Sanadi
2017-04-26 07:08:33 UTC
Permalink
Hi,

Thanks for reporting. Will take look at this.

Regards,
Antu Sanadi
Post by Adam Kauffman
To whom it may concern,
The NMAP banner is correct and the CPE based detection
is wrong. The host is a Windows machine running Oracle Virtualbox.
This system is listed as “Operating System: cpe:/h:hp:jetdirect” in
OpenVAS.
<LOG CLIP>

*Log*(CVSS: 0.0)
1.3.6.1.4.1.25623.1.0.105937)
*Summary*
This script consolidates the OS information detected by several NVTs
and tries to find the best matching OS.
Furthermore it reports all previously collected information leading to
this best matching OS. It also reports possible additional
informations which might help to improve the OS detection.
If any of this information is wrong or could be improved please
*Vulnerability Detection Result*
OS: HP JetDirect
CPE: cpe:/h:hp:jetdirect
Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
(80% confidence)
HP JetDirect
Setting key "Host/runs_unknown" based on this information
Unknown banners have been collected which might help to identify the
OS running on this host. If these banners containing information about
the host OS please report the following information to
Banner: # Nmap 7.40 scan initiated Tue Apr 25 20:56:48 2017 as: nmap
-n -Pn -sV -oN /tmp/nmap-172.16.15.148-323665694 -O --osscan-limit -p
3389,1947,135,21,22,25,80,443,15731,21071,34840 172.16.15.148
Nmap scan report for 172.16.15.148
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
25/tcp closed smtp
80/tcp closed http
135/tcp open msrpc Microsoft Windows RPC
443/tcp closed https
1947/tcp open http Aladdin/SafeNet HASP license manager 18.00
3389/tcp open ms-wbt-server Microsoft Terminal Service
15731/tcp closed unknown
21071/tcp closed unknown
34840/tcp closed unknown
Device type: bridge|general purpose|switch
Running (JUST GUESSING): Oracle Virtualbox (96%), QEMU (94%), Cisco embedded (86%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu cpe:/h:cisco:css_11501
Aggressive OS guesses: Oracle Virtualbox (96%), QEMU user mode network
gateway (94%), Cisco CSS 11501 switch (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect
results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 25 20:57:02 2017 -- 1 IP address (1 host up)
scanned in 13.91 seconds
Identified from: Nmap TCP/IP fingerprinting
Banner: Server: HASP LM/18.00
Identified from: HTTP Server banner on port 1947/tcp
*Log Method*
1.3.6.1.4.1.25623.1.0.105937)
Version used: $Revision: 5435 $
</LOG CLIP>
Adam Kauffman
Process Engineer
Cascade Engineering Technologies, Inc.
14707 SE River Rd.
Milwaukie, OR 97267
(503) 653-7999
(503) 653-6788 fax
(503) 957-3442 cell
www.cmm-measure.com <http://www.cmm-measure.com/>
*AS9100C & ITAR Registered*
------------------------------------------------------------------------
/WARNING - This document may contain technical data, export of which
is restricted by the International Traffic in Arms Regulations (ITAR)
and subject to Title 22 C.F.R. Part 120-130. Prior authorization is
required from the U.S. Department of State/Directorate of Defense
Trade Controls for release of this item, or any information in this
item, to any foreign person or entity whether located in the United
States or not. Disclosure to foreign persons without U.S. Government
approval is prohibited. Violations of these export laws and
regulations are subjected to severe civil and criminal penalties.
Notice of Proprietary Rights - This document contains confidential
technical and commercial data including trade secrets proprietary to
Cascade Engineering Technologies, Inc. Disclosure of this data to you
is expressly confidential upon your assent that its use is limited to
use within your company only and that you and/or your company are the
intended recipient(s). Any other use is strictly prohibited without
prior written consent of Cascade Engineering Technologies, Inc.
NOTE - If you received this message in error, please notify the sender
by reply e-mail and delete all copies of this message./
PLEASE CONSIDER THE ENVIRONMENT BEFORE PRINTING THIS E-MAIL
_______________________________________________
Openvas-plugins mailing list
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
Christian Fischer
2017-08-01 13:12:44 UTC
Permalink
Hi,
Post by Adam Kauffman
To whom it may concern,
The NMAP banner is correct and the CPE based detection is wrong. The host is a Windows machine running Oracle Virtualbox. This system is listed as “Operating System: cpe:/h:hp:jetdirect” in OpenVAS.
<LOG CLIP>
Log (CVSS: 0.0)
NVT: OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)
Summary
This script consolidates the OS information detected by several NVTs and tries to find the best matching OS.
Furthermore it reports all previously collected information leading to this best matching OS. It also reports possible additional informations which might help to improve the OS detection.
Vulnerability Detection Result
OS: HP JetDirect
CPE: cpe:/h:hp:jetdirect
Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
(80% confidence)
HP JetDirect
Setting key "Host/runs_unknown" based on this information
Banner: # Nmap 7.40 scan initiated Tue Apr 25 20:56:48 2017 as: nmap -n -Pn -sV -oN /tmp/nmap-172.16.15.148-323665694 -O --osscan-limit -p 3389,1947,135,21,22,25,80,443,15731,21071,34840 172.16.15.148
Nmap scan report for 172.16.15.148
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
25/tcp closed smtp
80/tcp closed http
135/tcp open msrpc Microsoft Windows RPC
443/tcp closed https
1947/tcp open http Aladdin/SafeNet HASP license manager 18.00
3389/tcp open ms-wbt-server Microsoft Terminal Service
15731/tcp closed unknown
21071/tcp closed unknown
34840/tcp closed unknown
Device type: bridge|general purpose|switch
Running (JUST GUESSING): Oracle Virtualbox (96%), QEMU (94%), Cisco embedded (86%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu cpe:/h:cisco:css_11501
Aggressive OS guesses: Oracle Virtualbox (96%), QEMU user mode network gateway (94%), Cisco CSS 11501 switch (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr 25 20:57:02 2017 -- 1 IP address (1 host up) scanned in 13.91 seconds
Identified from: Nmap TCP/IP fingerprinting
Banner: Server: HASP LM/18.00
Identified from: HTTP Server banner on port 1947/tcp
Log Method
Details: OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)
Version used: $Revision: 5435 $
</LOG CLIP>
thanks for your report. For this specific scenario a generic Windows
should be detected now once the following NVT is reaching the feed in
revision r6289:

os_detection.nasl
OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937
Post by Adam Kauffman
Adam Kauffman
Process Engineer
Cascade Engineering Technologies, Inc.
14707 SE River Rd.
Milwaukie, OR 97267
(503) 653-7999
(503) 653-6788 fax
(503) 957-3442 cell
www.cmm-measure.com<http://www.cmm-measure.com/>
AS9100C & ITAR Registered
Regards,
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Loading...