OS Detection
One of Nmap's best-known features is remote OS detection
using TCP/IP stack fingerprinting. Nmap sends a series of TCP and
UDP packets to the remote host and examines practically every bit
in the responses. After performing dozens of tests such as TCP
ISN sampling, TCP options support and ordering, IP ID sampling, and
the initial window size check, Nmap compares the results to its
nmap-os-db
database of more than 2,600 known
OS fingerprints and prints out the OS details if there is a match.
Each fingerprint includes a freeform textual description of the
OS, and a classification which provides the vendor name
(e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10),
and device type (general purpose, router, switch, game console,
etc). Most fingerprints also have a Common Platform Enumeration
(CPE)
representation, like
cpe:/o:linux:linux_kernel:2.6
.
If Nmap is unable to guess the OS of a machine, and conditions are good (e.g. at least one open port and one closed port were found), Nmap will provide a URL you can use to submit the fingerprint if you know (for sure) the OS running on the machine. By doing this you contribute to the pool of operating systems known to Nmap and thus it will be more accurate for everyone.
OS detection enables some other tests which make use
of information that is gathered during the process anyway.
One of these is
TCP Sequence Predictability Classification. This measures
approximately how hard it is to establish a forged
TCP connection against the remote host. It is useful for
exploiting source-IP based trust relationships (rlogin, firewall
filters, etc) or for hiding the source of an attack. This sort of
spoofing is rarely performed any more, but many machines are still
vulnerable to it. The actual
difficulty number is based on statistical sampling and may
fluctuate. It is generally better to use the English
classification such as “worthy challenge” or “trivial joke”. This
is only reported in normal output in verbose (-v
)
mode. When verbose mode is enabled along with -O
, IP ID sequence
generation is also reported. Most machines are in the
“incremental” class, which means that they increment the ID
field in the IP header for each packet they send. This makes them
vulnerable to several advanced information gathering and
spoofing attacks.
Another bit of extra information enabled by OS detection is a guess at a target's uptime. This uses the TCP timestamp option (RFC 1323) to guess when a machine was last rebooted. The guess can be inaccurate due to the timestamp counter not being initialized to zero or the counter overflowing and wrapping around, so it is printed only in verbose mode.
OS detection is covered in Chapter 8, Remote OS Detection.
OS detection is enabled and controlled with the following options:
-
-O
(Enable OS detection) Enables OS detection, as discussed above. Alternatively, you can use
-A
to enable OS detection along with other things.-
--osscan-limit
(Limit OS detection to promising targets) OS detection is far more effective if at least one open and one closed TCP port are found. Set this option and Nmap will not even try OS detection against hosts that do not meet this criteria. This can save substantial time, particularly on
-Pn
scans against many hosts. It only matters when OS detection is requested with-O
or-A
.-
--osscan-guess
;--fuzzy
(Guess OS detection results) When Nmap is unable to detect a perfect OS match, it sometimes offers up near-matches as possibilities. The match has to be very close for Nmap to do this by default. Either of these (equivalent) options make Nmap guess more aggressively. Nmap will still tell you when an imperfect match is printed and display its confidence level (percentage) for each guess.
-
--max-os-tries
(Set the maximum number of OS detection tries against a target) When Nmap performs OS detection against a target and fails to find a perfect match, it usually repeats the attempt. By default, Nmap tries five times if conditions are favorable for OS fingerprint submission, and twice when conditions aren't so good. Specifying a lower
--max-os-tries
value (such as 1) speeds Nmap up, though you miss out on retries which could potentially identify the OS. Alternatively, a high value may be set to allow even more retries when conditions are favorable. This is rarely done, except to generate better fingerprints for submission and integration into the Nmap OS database.