Determine operating system

Nmap is often used to detect the operating system a host is using. Detecting the operating system of a host is essential to every penetration tester for many reasons – including listing possible security vulnerabilities, determining the available system calls to set the specific exploit payloads, and other OS-dependent tasks. Nmap is known for having the most comprehensive OS fingerprint database and functionality.

Nmap includes a huge a database of the most common operating system fingerprints and can identify hundreds of operating systems based on how they respond to TCP/IP probes. To enable operating system detection, use the -O flag. Here is an example:

root@kali:~# nmap -O 192.168.5.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-04 21:16 CET
Nmap scan report for 192.168.5.102
Host is up (0.30s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
514/tcp filtered shell
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2049/tcp open nfs
3260/tcp open iscsi
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.47 seconds

In the output above you can see that Nmap has successfully recognized the operating system on the target host (it is indeed Windows Server 2012).

Nmap will even recognize network device (e.g. Cisco devices, Juniper switches):

root@kali:~# nmap -O 10.0.0.50
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-04 21:24 CET
Nmap scan report for 10.0.0.50
Host is up (0.0090s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.37
OS details: DD-WRT v24-sp2 (Linux 2.4.37)
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.64 seconds

You can also enable the verbose mode using the -v flag to detect additional host information:

root@kali:~# nmap -v -O 192.168.5.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-04 21:26 CET
Initiating Ping Scan at 21:26
Scanning 192.168.5.102 [4 ports]
Completed Ping Scan at 21:26, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:26
Completed Parallel DNS resolution of 1 host. at 21:26, 0.01s elapsed
Initiating SYN Stealth Scan at 21:26
Scanning 192.168.5.102 [1000 ports]
Discovered open port 139/tcp on 192.168.5.102
Discovered open port 111/tcp on 192.168.5.102
Discovered open port 21/tcp on 192.168.5.102
Discovered open port 80/tcp on 192.168.5.102
Discovered open port 3269/tcp on 192.168.5.102
Discovered open port 49158/tcp on 192.168.5.102
Discovered open port 636/tcp on 192.168.5.102
Completed SYN Stealth Scan at 21:29, 135.63s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.5.102
Nmap scan report for 192.168.5.102
Host is up (0.30s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
111/tcp open rpcbind
135/tcp open msrpc
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Incremental
Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.21 seconds
 Raw packets sent: 1693 (76.130KB) | Rcvd: 1032 (41.650KB)
SEE ALL Add a note
YOU
Add your Comment
 

Who’s Online

Profile picture of Olga
Profile picture of Veselin Mihaylov
Geek University 2021