Does Nmap requires a closed TCP port to do OS fingerprinting?

Question

I was checking the security of a server by running Nmap. Last time it gives me the following results, indicating that OS could not be fingerprinted:

PORT     STATE    SERVICE    VERSION 
21/tcp   filtered ftp
22/tcp   open     ssh        OpenSSH 5.2 
23/tcp   filtered telnet 
25/tcp   filtered smtp 
80/tcp   filtered http 
443/tcp  open     ssl/http   Nginx 
1433/tcp filtered ms-sql-s
3306/tcp filtered mysql
8080/tcp filtered http-proxy 
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete 
No OS matches for host

I did the same scan using the same Nmap version recently, however this time it reports some possible OS prediction:

PORT     STATE    SERVICE    VERSION 
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
25/tcp   filtered smtp
80/tcp   open     http       Nginx
443/tcp  open     ssl/http   Nginx
1433/tcp filtered ms-sql-s
3306/tcp filtered mysql
8080/tcp filtered http-proxy
Device type: storage-misc|general purpose
Running (JUST GUESSING): Microsoft Windows PocketPC/CE|2000|XP|NT (92%)...
OS CPE: cpe:/o:microsoft:windows_ce cpe:/o:microsoft:windows_2000::sp4 ...

Aggressive OS guesses: AT&T U-Verse set-top box (Windows CE 5.0) (92%), Microsoft Windows...
No exact OS matches for host (test conditions non-ideal).

For both cases, all TCP ports are either filtered or open. Why does Nmap not report a missing closed TCP port in the second case? And does it rely on a closed TCP port to do OS fingerprinting?

why are you running nmap from a from a pentest website and not yourself? You have no idea how the server that is hosting the nmap has been configured. Run nmap on your own and then come back with questions. — schroeder, Sep 20 '14 at 01:02

score 2 · Accepted Answer · answered Sep 19 '14 at 15:14

I've already written an answer to another question that details all the reasons a fingerprint may be non-ideal, but the short answer is yes, Nmap requires a closed TCP port to get the best match. But I'd guess that there are other things interfering with your scan if it's showing Nginx running on Windows CE.

Based on your output, I'd guess that the first scan used -d or -vv, but the second scan did not. The logic in output.cc says that the "No exact OS matches for host (test conditions non-ideal)." line only gets printed if there is a "reason", but the only condition under which the "reason" is not shown is if verbose is less than or equal to 1 and debugging is not turned on.

score 0 · Answer 2 · answered Sep 19 '14 at 14:38

Below is my response, i pressume you're not scanning out of malicious intent and your question is thus legit. I hold no responsibility for whatever you deduce or what actions may follow based on this post.

In short, no. NMap relies on typical timing, sequences and other identifiers to perform OS fingerprinting. It i also easily thwarted by the in-between network configurations, host specific 'tweaks' etc.

It would be informative for you to provide us with the exact NMap commands uses to scan the server, please do anonymize your target's IP address. There are more then one flag to initiate OS fingerprinting and these do not do the same and will return different results.

If this machine is not in a network you manage it might be there was a security device in between which counters OS fingerprinting. Running the same scan a few times will keep giving different OS fingerprints, including 'none'.

Seriously ? This is bogus, sorry, i'm not commenting anymore. I have the impression you're fooling someone if not yourself. — Saint Crusty, Sep 19 '14 at 15:09

Does Nmap requires a closed TCP port to do OS fingerprinting?

2 Answers2