Using OS Identification with Nmap

Nmap can be used to fingerprint operating systems. Here is a typical session:

[root@srv-1 usr-1]# nmap -O --min_rtt_timeout=6000 10.50.100.1-80
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-05-05 12:49 PDT
Interesting ports on 10.50.100.1:
(The 1656 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
111/tcp   open  rpcbind
6000/tcp  open  X11
32771/tcp open  sometimes-rpc5
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 2.752 days (since Tue May  2 18:48:21 2006)
Interesting ports on 10.50.100.4:
(The 1625 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
12/tcp    filtered unknown
45/tcp    filtered mpm
53/tcp    filtered domain
63/tcp    filtered via-ftp
78/tcp    filtered vettcp
80/tcp    filtered http
113/tcp   filtered auth
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
209/tcp   filtered tam
262/tcp   filtered arcisdms
554/tcp   filtered rtsp
575/tcp   filtered vemmi
702/tcp   filtered unknown
729/tcp   filtered netviewdm1
779/tcp   filtered unknown
817/tcp   filtered unknown
823/tcp   filtered unknown
909/tcp   filtered unknown
947/tcp   filtered unknown
1080/tcp  filtered socks
1155/tcp  filtered nfa
1241/tcp  filtered nessus
1387/tcp  filtered cadsi-lm
1404/tcp  filtered igi-lm
1481/tcp  filtered airs
1544/tcp  filtered aspeclmd
1723/tcp  filtered pptp
5190/tcp  filtered aol
5300/tcp  filtered hacl-hb
5800/tcp  open     vnc-http
5900/tcp  open     vnc
6009/tcp  filtered X11:9
6502/tcp  filtered netop-rc
18181/tcp filtered opsec_cvp
MAC Address: 00:A0:CC:3F:9B:A1 (Lite-on Communications)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows Server 2003 or XP SP2
Interesting ports on 10.50.100.8:
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
280/tcp  open  http-mgmt
515/tcp  open  printer
631/tcp  open  ipp
9100/tcp open  jetdirect
MAC Address: 00:01:E6:28:03:E0 (Hewlett-Packard Company)
Device type: printer|print server
Running: HP embedded
OS details: HP LaserJet printer/print server
Interesting ports on 10.50.100.9:
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
23/tcp   open  telnet
79/tcp   open  finger
2005/tcp open  deslogin
6005/tcp open  X11:5
MAC Address: 00:50:0F:02:54:CC (Cisco Systems)
Device type: router
Running: Cisco IOS 11.X|12.X
OS details: Cisco IOS 11.3 - 12.0(11), Cisco IOS v11.14(CA)/12.0.2aT1/v12.0.3T

The -O signifies OS fingerprinting. The –min_rtt_timeout=6000 we find is useful if the initial hosts are quick to respond, but other hosts are slower. This is in milliseconds, so this will wait 6 seconds per host. Nmap will normally throttle the timeout automatically based on initial scans by default, so if you don’t set this, hosts could be missed. The downside is that it will take longer to scan your network. If your hosts and network are consistent, you may be able to get by without the min_rtt_timeout option. The 10.50.100.1-80 at the end scans hosts 10.50.100.1 to 10.50.100.80(!). Note that in this scan we found a GNU/Linux box, a Microsoft Windows box, an HP JetDirect print server, and a Cisco router. In addition to the OS detection, this also provides us with a security scan of open ports, as well as a list of IP addresses and their associated MAC addresses. For more information on OS detection with Nmap, see this page.