Nmap can be used to fingerprint operating systems. Here is a typical session:
[root@srv-1 usr-1]# nmap -O --min_rtt_timeout=6000 10.50.100.1-80 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2006-05-05 12:49 PDT Interesting ports on 10.50.100.1: (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 6000/tcp open X11 32771/tcp open sometimes-rpc5 Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) Uptime 2.752 days (since Tue May 2 18:48:21 2006) Interesting ports on 10.50.100.4: (The 1625 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 12/tcp filtered unknown 45/tcp filtered mpm 53/tcp filtered domain 63/tcp filtered via-ftp 78/tcp filtered vettcp 80/tcp filtered http 113/tcp filtered auth 135/tcp open msrpc 139/tcp open netbios-ssn 209/tcp filtered tam 262/tcp filtered arcisdms 554/tcp filtered rtsp 575/tcp filtered vemmi 702/tcp filtered unknown 729/tcp filtered netviewdm1 779/tcp filtered unknown 817/tcp filtered unknown 823/tcp filtered unknown 909/tcp filtered unknown 947/tcp filtered unknown 1080/tcp filtered socks 1155/tcp filtered nfa 1241/tcp filtered nessus 1387/tcp filtered cadsi-lm 1404/tcp filtered igi-lm 1481/tcp filtered airs 1544/tcp filtered aspeclmd 1723/tcp filtered pptp 5190/tcp filtered aol 5300/tcp filtered hacl-hb 5800/tcp open vnc-http 5900/tcp open vnc 6009/tcp filtered X11:9 6502/tcp filtered netop-rc 18181/tcp filtered opsec_cvp MAC Address: 00:A0:CC:3F:9B:A1 (Lite-on Communications) Device type: general purpose Running: Microsoft Windows 2003/.NET|NT/2K/XP OS details: Microsoft Windows Server 2003 or XP SP2 Interesting ports on 10.50.100.8: (The 1654 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 280/tcp open http-mgmt 515/tcp open printer 631/tcp open ipp 9100/tcp open jetdirect MAC Address: 00:01:E6:28:03:E0 (Hewlett-Packard Company) Device type: printer|print server Running: HP embedded OS details: HP LaserJet printer/print server Interesting ports on 10.50.100.9: (The 1656 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 23/tcp open telnet 79/tcp open finger 2005/tcp open deslogin 6005/tcp open X11:5 MAC Address: 00:50:0F:02:54:CC (Cisco Systems) Device type: router Running: Cisco IOS 11.X|12.X OS details: Cisco IOS 11.3 - 12.0(11), Cisco IOS v11.14(CA)/12.0.2aT1/v12.0.3T
The -O signifies OS fingerprinting. The –min_rtt_timeout=6000 we find is useful if the initial hosts are quick to respond, but other hosts are slower.
This is in milliseconds, so this will wait 6 seconds per host. Nmap will normally throttle the timeout automatically based on initial scans by default, so if you don’t set this, hosts could be missed. The downside is that it will take longer to scan your network.
If your hosts and network are consistent, you may be able to get by without the min_rtt_timeout option.
The 10.50.100.1-80 at the end scans hosts 10.50.100.1 to 10.50.100.80(!).
Note that in this scan we found a GNU/Linux box, a Microsoft Windows box, an HP JetDirect print server, and a Cisco router.
In addition to the OS detection, this also provides us with a security scan of open ports, as well as a list of IP addresses and their associated MAC addresses.
For more information on OS detection with Nmap, see this page.