Share this post
FaceBook  Twitter  
Contents[Hide]

1. Introduction

Here is a small tip on how to determine OS of the remote computer using nmap command. This can be quite handy if you are trying to create inventory list of your LAN hosts or you simply do not know what is running behind certain local or remote IP address and you need some hints. Using nmap for this kind of job does not mean that you will be able to identify remote OS with 100% accuracy but nmap will certainly provide you with some quite solid educated guess.

2. Simply, scan of a local network

When trying to determine OS of the remote host using nmap, nmap will base its guess on various aspects such as open and closed ports of default OS installation, operating system fingerprints already submitted to nmap database by other users, MAC address etc. 

If you do not know what IP addresses are active on your LAN, you can, first, try to scan the entire subnet. For example, here I will scan my local subnet 10.1.1.*:

# nmap -sP 10.1.1.*

Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-08 08:14 EST
Nmap scan report for 10.1.1.1
Host is up (0.0026s latency).
MAC Address: C4:7D:4F:6F:3E:D2 (Cisco Systems)
Nmap scan report for 10.1.1.11
Host is up.
Nmap scan report for 10.1.1.13
Host is up (0.0020s latency).
MAC Address: 00:13:02:30:FF:EC (Intel Corporate)
Nmap scan report for 10.1.1.14
Host is up (0.0022s latency).
MAC Address: A8:26:D9:ED:29:8E (HTC)
Nmap scan report for 10.1.1.250
Host is up (0.0041s latency).
MAC Address: 00:23:EB:71:E0:F6 (Cisco Systems)
Nmap done: 256 IP addresses (5 hosts up) scanned in 35.37 seconds

From the output above, we can see all currently active IP addresses and we already can see some hints on what any particular host maybe about.

3. Identify OS on remote host

For nmap to even make a guess, nmap needs to find at least 1 open and 1 closed port on a remote host. Using the previous scan results,  let us find out more about the host 10.1.1.13:

# nmap -O -sV 10.1.1.13

Output:

Nmap scan report for 10.1.1.13
Host is up (0.0073s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE              VERSION
22/tcp   open  ssh                  OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
53/tcp   open  domain               ISC BIND 9.7.3
80/tcp   open  http                 Apache httpd 2.2.16 ((Debian))
111/tcp  open  rpcbind (rpcbind V2) 2 (rpc #100000)
3389/tcp open  ms-wbt-server        xrdp
MAC Address: 00:13:02:30:FF:EC (Intel Corporate)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.32 - 2.6.35
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.57 seconds

From the output above, we can determine that this particular host is running some version of the Linux operating system. Based on the ssh version, it is most likely Debian 6 ( Squeeze ) with kernel version 2.6 and most likely the kernel version is somewhere between  2.6.32 - 2.6.35.

4. Conclusion

The same technique can be also used for all over the WAN remote hosts. Scanning for OS version on a remote host can be quite handy to you as an administrator. On the other hand, this technique can also be abused by hackers. They can target any host with their exploitation attack based on quite accurate information of a running OS and its patch level. Let this be just a quick reminder for all of us to keep all our systems up to date.

Partners

Who are we?

LinuxCareer.com is not affiliated with any local or international company, nor is it a recruitment or employment agency. We specialise in Linux based careers and closely related Information Technology fields by providing careers advice and latest employment opportunities.

JOIN LINUXCAREER

You can also get involved in the LinuxCareer project by participating on our FORUM or SUBMITTING A LINUX ARTICLE. We offer a range of privileges to our authors and good company.