When exploring a network for security auditing or
inventory/administration, you usually want to know more than
the bare IP addresses of identified machines. Your reaction to
discovering a printer may be very different than to finding a router,
wireless access point, telephone PBX, game console, Windows desktop,
or Unix server. Finer grained detection (such as distinguishing Mac
OS X 10.4 from 10.3) is useful for determining vulnerability to
specific flaws and for tailoring effective exploits for those
In part due to its value to attackers, many systems are
tight-lipped about their exact nature and operating system
configuration. Fortunately, Nmap includes a huge database of
heuristics for identifying thousands of different systems based on how
they respond to a selection of TCP/IP probes. Another system (part of
version detection) interrogates open TCP or UDP ports to determine
device type and OS details. Results of these two systems are reported
independently so that you can identify combinations such as a
Checkpoint firewall forwarding port 80 to a Windows IIS server.
While Nmap has supported OS detection since 1998, this chapter
describes the 2nd generation system released in 2006.
While some benefits of discovering the underlying OS and device types on a network are obvious, others are more obscure. This section lists the top reasons I hear for discovering this extra information.
Determining vulnerability of target hosts
It is sometimes very difficult to determine remotely whether an
available service is susceptible or patched for a certain
vulnerability. Even obtaining the application version number doesn't
always help, since OS distributors often back-port security fixes
without changing the version number. The surest way to verify that a
vulnerability is real is to exploit it, but that risks crashing the
service and can lead to wasted hours or even days of frustrating
exploitation efforts if the service turns out to be patched.
OS detection can help reduce these false positives. For
example, the Rwho daemon on unpatched Sun Solaris 7 through 9 may be
remotely exploitable (Sun alert #57659). Remotely determining
vulnerability is difficult, but you can rule it out by finding that a
target system is running Solaris 10.
Taking this from the perspective of a systems administrator
rather than a pen-tester, imagine you run a large Sun shop when alert
#57659 comes out. Scan your whole network with OS detection to find
machines which need patching before the bad guys do.
Even after you discover a vulnerability in a target system, OS
detection can be helpful in exploiting it. Buffer overflows,
format-string exploits, and many other vulnerabilities often require
custom-tailored shellcode with offsets and assembly payloads generated
to match the target OS and hardware architecture. In some cases, you
only get one try because the service crashes if you get the
shellcode wrong. Use OS detection first or you may end up sending
Linux shellcode to a FreeBSD server.
Network inventory and support
While it isn't as exciting as busting root through a specially
crafted format string exploit, there are many administrative reasons
to keep track of what is running on your network. Before you renew
that IRIX support contract for another year, scan to see if anyone
still uses such machines. An inventory can also be useful for IT
budgeting and ensuring that all company equipment is accounted
Detecting unauthorized and dangerous devices
With the ubiquity of mobile devices and cheap commodity
networking equipment, companies are increasingly finding that
employees are extending their networks in undesirable ways. They may
install a $20
wireless access point (WAP)
in their cubicle without
realizing (or caring) that they just opened up the protected corporate
network to potential attackers in the parking lot or nearby buildings.
WAPs can be so dangerous that Nmap has a special category for
detecting them, as demonstrated in the section called “SOLUTION: Detect Rogue Wireless Access Points on an Enterprise Network”.
Users may also cause sysadmins grief by connecting insecure and/or
worm-infected laptops to the corporate network. Regular scanning can detect unauthorized
devices for investigation and containment.
Another possible use is social engineering. Lets say that you
are scanning a target company and Nmap reports a “Datavoice
TxPORT PRISM 3000 T1 CSU/DSU 6.22/2.06”. You could call up the
target pretending to be Datavoice support and discuss some issues with
their PRISM 3000. Tell them you are about to announce a big security
hole, but are first providing the patch to valued customers. Some
naive administrators might assume that only an authorized engineer
from Datavoice would know so much about their CSU/DSU. Of course the
patch you send them is a Trojan horse that gives you remote access to
sniff and traipse through their network. Be sure to read the rest of
this chapter for detection accuracy and verification advice before
trying this. If you guess the target system wrong and they call the
police, that will be an embarrassing story to tell your