One of Nmap's best-known features is remote OS detection
using TCP/IP stack fingerprinting. Nmap sends a series of TCP and
UDP packets to the remote host and examines practically every bit
in the responses. After performing dozens of tests such as TCP
ISN sampling, TCP options support and ordering, IP ID sampling, and
the initial window size check, Nmap compares the results to its
database of more than 2,600 known
OS fingerprints and prints out the OS details if there is a match.
Each fingerprint includes a freeform textual description of the
OS, and a classification which provides the vendor name
(e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10),
and device type (general purpose, router, switch, game console,
etc). Most fingerprints also have a Common Platform Enumeration
If Nmap is unable to guess the OS of a machine, and
conditions are good (e.g. at least one open port and one closed
port were found), Nmap will
provide a URL you can use to submit the fingerprint if you know
(for sure) the OS running on the machine. By doing this you
contribute to the pool of operating systems known to Nmap and thus
it will be more accurate for everyone.
OS detection enables some other tests which make use
of information that is gathered during the process anyway.
One of these is
TCP Sequence Predictability Classification. This measures
approximately how hard it is to establish a forged
TCP connection against the remote host. It is useful for
exploiting source-IP based trust relationships (rlogin, firewall
filters, etc) or for hiding the source of an attack. This sort of
spoofing is rarely performed any more, but many machines are still
vulnerable to it. The actual
difficulty number is based on statistical sampling and may
fluctuate. It is generally better to use the English
classification such as “worthy challenge” or “trivial joke”. This
is only reported in normal output in verbose (
mode. When verbose mode is enabled along with
-O, IP ID sequence
generation is also reported. Most machines are in the
“incremental” class, which means that they increment the ID
field in the IP header for each packet they send. This makes them
vulnerable to several advanced information gathering and
Another bit of extra information enabled by OS detection is a guess
at a target's uptime. This uses the TCP timestamp option (RFC 1323) to guess when a machine was last rebooted.
The guess can be inaccurate due to the timestamp counter not being
initialized to zero or the counter overflowing and wrapping around,
so it is printed only in verbose mode.
OS detection is covered in Chapter 8, Remote OS Detection.
OS detection is enabled and controlled with the following options:
-O (Enable OS detection)
Enables OS detection, as discussed above.
Alternatively, you can use
-A to enable
OS detection along with other things.
--osscan-limit (Limit OS detection to
OS detection is far more effective if at least one
open and one closed TCP port are found. Set this option
and Nmap will not even try OS detection against hosts
that do not meet this criteria. This can save substantial
time, particularly on
-Pn scans against many hosts. It
only matters when OS detection is requested with
--fuzzy (Guess OS detection results)
When Nmap is unable to detect a perfect OS match, it
sometimes offers up near-matches as possibilities. The
match has to be very close for Nmap to do this by default.
Either of these (equivalent) options make Nmap guess more
aggressively. Nmap will still tell you when an imperfect
match is printed and display its confidence level
(percentage) for each guess.
--max-os-tries (Set the maximum number of OS detection tries against a target)
When Nmap performs OS detection against a target and
fails to find a perfect match, it usually repeats the
attempt. By default, Nmap tries five times if conditions
are favorable for OS fingerprint submission, and twice when
conditions aren't so good. Specifying a lower
--max-os-tries value (such as 1) speeds
Nmap up, though you miss out on retries which could
potentially identify the OS. Alternatively, a high value
may be set to allow even more retries when conditions are
favorable. This is rarely done, except to generate better
fingerprints for submission and integration into the Nmap OS