HakTip 99 – NMap 101: Operating System Detection
This week on HakTip, Shannon demonstrates some options you can use in NMap for operating system detection.
This is really fun. NMap has the power to tell you what operating system and services a remote target is running, by decoding the data that a system responds with after NMap sends out a probe. This process is called TCP/IP fingerprinting. Let’s start with the simplist of these, -O. Type: nmap -O 10.73.31.145. When the target is scanned, NMap will tell you what operating system it’s running. You can also add -v to this command to show more verbose information that NMap acquires. Sometimes NMap isn’t able to determine what operating system the target it using, so then you can submit the output to the to NMaps Fingerprint and Correction Page on their website. This will help NMap become better and better, as thousands of OS’s exist.
If you want NMap to just guess what a target is running, you can do this: nmap -O –osscan-guess 10.73.31.145. You can also use –fuzzy instead of –osscan-guess if you want… Why? I have no clue.
nmap -sV 10.73.31.145 will tell you what service version the target is running. If you find you aren’t getting the output you thought you would, you can make this verbose, by typing: nmap sV –version-trace 10.73.31.145.
Lastly is an RPC scan (or a Remote Procedue Call), which uses the -sR option. This displays info about services called RPC’s which are commonly used in Linux systems for the Network File System service. Oftentimes this RPC service is used to make a client and a server function and communicate correctly to each other. Simply type: nmap -sR 10.73.31.145.
And that’s it for port scanning! What would you like to see next about NMAP? Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.