Using OS Identification with Nmap
Nmap can be used to fingerprint operating systems. Here is a typical session:
[root@srv-1 usr-1]# nmap -O --min_rtt_timeout=6000 10.50.100.1-80
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-05-05 12:49 PDT
Interesting ports on 10.50.100.1:
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
6000/tcp open X11
32771/tcp open sometimes-rpc5
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 2.752 days (since Tue May 2 18:48:21 2006)
Interesting ports on 10.50.100.4:
(The 1625 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
12/tcp filtered unknown
45/tcp filtered mpm
53/tcp filtered domain
63/tcp filtered via-ftp
78/tcp filtered vettcp
80/tcp filtered http
113/tcp filtered auth
135/tcp open msrpc
139/tcp open netbios-ssn
209/tcp filtered tam
262/tcp filtered arcisdms
554/tcp filtered rtsp
575/tcp filtered vemmi
702/tcp filtered unknown
729/tcp filtered netviewdm1
779/tcp filtered unknown
817/tcp filtered unknown
823/tcp filtered unknown
909/tcp filtered unknown
947/tcp filtered unknown
1080/tcp filtered socks
1155/tcp filtered nfa
1241/tcp filtered nessus
1387/tcp filtered cadsi-lm
1404/tcp filtered igi-lm
1481/tcp filtered airs
1544/tcp filtered aspeclmd
1723/tcp filtered pptp
5190/tcp filtered aol
5300/tcp filtered hacl-hb
5800/tcp open vnc-http
5900/tcp open vnc
6009/tcp filtered X11:9
6502/tcp filtered netop-rc
18181/tcp filtered opsec_cvp
MAC Address: 00:A0:CC:3F:9B:A1 (Lite-on Communications)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows Server 2003 or XP SP2
Interesting ports on 10.50.100.8:
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
280/tcp open http-mgmt
515/tcp open printer
631/tcp open ipp
9100/tcp open jetdirect
MAC Address: 00:01:E6:28:03:E0 (Hewlett-Packard Company)
Device type: printer|print server
Running: HP embedded
OS details: HP LaserJet printer/print server
Interesting ports on 10.50.100.9:
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
23/tcp open telnet
79/tcp open finger
2005/tcp open deslogin
6005/tcp open X11:5
MAC Address: 00:50:0F:02:54:CC (Cisco Systems)
Device type: router
Running: Cisco IOS 11.X|12.X
OS details: Cisco IOS 11.3 - 12.0(11), Cisco IOS v11.14(CA)/12.0.2aT1/v12.0.3T
|
The -O signifies OS fingerprinting. The --min_rtt_timeout=6000 we find is useful if the initial hosts are quick to respond, but other hosts are slower. This is in milliseconds, so this will wait 6 seconds per host. Nmap will normally throttle the timeout automatically based on initial scans by default, so if you don't set this, hosts could be missed. The downside is that it will take longer to scan your network. If your hosts and network are consistent, you may be able to get by without the min_rtt_timeout option. The 10.50.100.1-80 at the end scans hosts 10.50.100.1 to 10.50.100.80(!). Note that in this scan we found a GNU/Linux box, a Microsoft Windows box, an HP JetDirect print server, and a Cisco router. In addition to the OS detection, this also provides us with a security scan of open ports, as well as a list of IP addresses and their associated MAC addresses.
For more information on OS detection with Nmap, see this page.
|
|