Determine operating system
Nmap is often used to detect the operating system a host is using. Detecting the operating system of a host is essential to every penetration tester for many reasons – including listing possible security vulnerabilities, determining the available system calls to set the specific exploit payloads, and other OS-dependent tasks. Nmap is known for having the most comprehensive OS fingerprint database and functionality.
Nmap includes a huge a database of the most common operating system fingerprints and can identify hundreds of operating systems based on how they respond to TCP/IP probes. To enable operating system detection, use the -O flag. Here is an example:
root@kali:~# nmap -O 192.168.5.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-04 21:16 CET
Nmap scan report for 192.168.5.102
Host is up (0.30s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
514/tcp filtered shell
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3260/tcp open iscsi
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.47 seconds
In the output above you can see that Nmap has successfully recognized the operating system on the target host (it is indeed Windows Server 2012).
Nmap will even recognize network device (e.g. Cisco devices, Juniper switches):
root@kali:~# nmap -O 10.0.0.50 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-04 21:24 CET Nmap scan report for 10.0.0.50 Host is up (0.0090s latency). Not shown: 999 filtered ports PORT STATE SERVICE 443/tcp open https Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4.37 OS details: DD-WRT v24-sp2 (Linux 2.4.37) OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 50.64 seconds
You can also enable the verbose mode using the -v flag to detect additional host information:
root@kali:~# nmap -v -O 192.168.5.102 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-04 21:26 CET Initiating Ping Scan at 21:26 Scanning 192.168.5.102 [4 ports] Completed Ping Scan at 21:26, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 21:26 Completed Parallel DNS resolution of 1 host. at 21:26, 0.01s elapsed Initiating SYN Stealth Scan at 21:26 Scanning 192.168.5.102 [1000 ports] Discovered open port 139/tcp on 192.168.5.102 Discovered open port 111/tcp on 192.168.5.102 Discovered open port 21/tcp on 192.168.5.102 Discovered open port 80/tcp on 192.168.5.102 Discovered open port 3269/tcp on 192.168.5.102 Discovered open port 49158/tcp on 192.168.5.102 Discovered open port 636/tcp on 192.168.5.102 Completed SYN Stealth Scan at 21:29, 135.63s elapsed (1000 total ports) Initiating OS detection (try #1) against 192.168.5.102 Nmap scan report for 192.168.5.102 Host is up (0.30s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 111/tcp open rpcbind 135/tcp open msrpc 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49157/tcp open unknown 49158/tcp open unknown Device type: general purpose Running: Microsoft Windows 7|2012|XP OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3 TCP Sequence Prediction: Difficulty=254 (Good luck!) IP ID Sequence Generation: Incremental Read data files from: /usr/bin/../share/nmap OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 145.21 seconds Raw packets sent: 1693 (76.130KB) | Rcvd: 1032 (41.650KB)
