I was checking the security of a server by running Nmap. Last time it gives me the following results, indicating that OS could not be fingerprinted:
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 5.2
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
443/tcp open ssl/http Nginx
1433/tcp filtered ms-sql-s
3306/tcp filtered mysql
8080/tcp filtered http-proxy
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
I did the same scan using the same Nmap version recently, however this time it reports some possible OS prediction:
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp open http Nginx
443/tcp open ssl/http Nginx
1433/tcp filtered ms-sql-s
3306/tcp filtered mysql
8080/tcp filtered http-proxy
Device type: storage-misc|general purpose
Running (JUST GUESSING): Microsoft Windows PocketPC/CE|2000|XP|NT (92%)...
OS CPE: cpe:/o:microsoft:windows_ce cpe:/o:microsoft:windows_2000::sp4 ...
Aggressive OS guesses: AT&T U-Verse set-top box (Windows CE 5.0) (92%), Microsoft Windows...
No exact OS matches for host (test conditions non-ideal).
For both cases, all TCP ports are either filtered or open. Why does Nmap not report a missing closed TCP port in the second case? And does it rely on a closed TCP port to do OS fingerprinting?