Easy Operating System Detection with nmap

Recently I was doing some discovery at work of some systems we inherited.  I didn’t yet have access but wanted to determine what type of OS was involved so I could coordinate with the proper teams.
You can often guess just by determining what ports are open, but the most efficient tool is the venerable nmap utility.  Using the -O (OS detection) and -sV (check ports to determine service/version info) flags, you get a complete report.
Under the covers, nmap is running through a set of heuristics to determine what OS is most likely, based on what ports are open and unique “fingerprinting” of the device’s IP stack.  nmap maintains a database of over 2,000 IP fingerprints.  Different operating systems will set different values for things like initial TTL, max segment size, window scaling value, etc. and by analyzing packets, nmap can make an educated guess of what kind of OS is running.
It’s not 100% and nmap lacks the ability to say “this is definitely Windows Server 2012 with Service Pack 2 applied” or “this is definitely Debian 9 and not Debian 10” because operating systems in the same family often us the same IP stack.  But it is often an excellent start towards identification.
For example, here is output of a Windows Server which is also running MySQL (all examples in this article have been slightly reformatted in terms of line breaks to fit the site’s theme):
# nmap -O -sV x.x.x.x
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-17 11:02 PDT
Nmap scan report for x.x.x.x
Host is up (0.22s latency).
Not shown: 994 closed tcp ports (reset)


PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2701/tcp open  cmrcservice   Microsoft Configuration Manager Remote Control service (CmRcService.exe)
3306/tcp open  mysql         MySQL 5.1.60-community-log
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Aggressive OS guesses: Microsoft Windows Server 2016 (93%),
Microsoft Windows Server 2008 R2 SP1 (92%), Microsoft Windows Server 2012 R2 (91%),
Microsoft Windows 10 1607 (90%), Microsoft Windows Server 2008 R2 (90%),
Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or
Windows Server 2012 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8 (87%),
Microsoft Windows Server 2008 R2 SP1 or Windows 8 (87%), Microsoft Windows 7 SP1 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.77 seconds
Here’s what a Debian 9 server I scanned looks like:
# time nmap -O -sV x.x.x.x
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-17 14:52 PDT
Nmap scan report for x.x.x.x
Host is up (0.0018s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open   ssh         OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
25/tcp   open   smtp         Postfix smtpd
80/tcp   open   http         nginx 1.10.3
111/tcp   open   rpcbind     2-4 (RPC #100000)
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: EXAMPLE)
445/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: EXAMPLe)
587/tcp   open   smtp         Postfix smtpd
3306/tcp open   mysql       MySQL 5.5.5-10.1.48-MariaDB-0+deb9u2
MAC Address: MM:MM:MM:MM:MM:MM (Asustek Computer)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts:   example.example.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds
And it’s really just that simple.  Next time you have a system on your network but are not sure what it is, try nmap’s OS detection tool to get a pretty good guess.
 
The post Easy Operating System Detection with nmap appeared first on LowEndBox .

Top News