When performing digital reconnaissance or penetrating testing, it’s important to fingerprint a network by understanding what operating system is used on a remote a host.
Nmap is a great tool for this job. Although normally associated with the cybersecurity field and penetration testing, Nmap can also be used for benevolent purposes, such as a system administrator taking an inventory of what operating systems all the systems on his network are running.
Using nmap for this kind of job does not mean that you can identify remote OS with 100% accuracy, but nmap certainly equips you with a solid educated guess. In this tutorial, you will learn how to determine the operating system of a remote host by using Nmap on a Linux system.
In this tutorial you will learn:
- How to install Nmap on major Linux distros
- How to use Nmap to do a simple scan
- How to use Nmap to determine OS of remote host
|Category||Requirements, Conventions or Software Version Used|
|System||Any Linux system|
|Other||Privileged access to your Linux system as root or via the
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
How to install Nmap on major Linux distros
The tool we will be using to scan a remote host is Nmap. You can use the appropriate command below to install Nmap with your system’s package manager.
$ sudo apt install nmap
$ sudo dnf install nmap
$ sudo pacman -S nmap
Perform a simple network scan with Nmap
When trying to determine OS of the remote host using nmap, nmap will base its guess on various aspects such as open and closed ports of default OS installation, operating system fingerprints already submitted to nmap database by other users, MAC address etc.
If you do not know what IP addresses are active on your LAN, you can, first, try to scan the entire subnet. For example, here I will scan my local subnet 10.1.1.*:
$ sudo nmap -sP 10.1.1.*
Nmap scan report for 10.1.1.1 Host is up (0.0026s latency). MAC Address: C4:7D:4F:6F:3E:D2 (Cisco Systems) Nmap scan report for 10.1.1.11 Host is up. Nmap scan report for 10.1.1.13 Host is up (0.0020s latency). MAC Address: 00:13:02:30:FF:EC (Intel Corporate) Nmap scan report for 10.1.1.14 Host is up (0.0022s latency). MAC Address: A8:26:D9:ED:29:8E (HTC) Nmap scan report for 10.1.1.250 Host is up (0.0041s latency). MAC Address: 00:23:EB:71:E0:F6 (Cisco Systems) Nmap done: 256 IP addresses (5 hosts up) scanned in 35.37 seconds
From the output above, we can see all currently active IP addresses and we already can see some hints on what any particular host may be used for.
Identify OS on remote host
For nmap to even make a guess, nmap needs to find at least 1 open and 1 closed port on a remote host. Using the previous scan results, let us find out more about the host 10.1.1.13:
$ sudo nmap -O -sV 10.1.1.13
Nmap scan report for 10.1.1.13 Host is up (0.0073s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0) 53/tcp open domain ISC BIND 9.7.3 80/tcp open http Apache httpd 2.2.16 ((Debian)) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 3389/tcp open ms-wbt-server xrdp MAC Address: 00:13:02:30:FF:EC (Intel Corporate) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:kernel:2.6 OS details: Linux 2.6.32 - 2.6.35 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:kernel OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.57 seconds
From the output above, we can determine that this particular host is running some version of the Linux operating system. Based on the ssh version, it is most likely Debian 6 ( Squeeze ) with kernel version 2.6 and most likely the kernel version is somewhere between 2.6.32 – 2.6.35.
Even in cases where the operating system cannot be reliably determined, open ports are often the most revealing thing about a host system. Take the screenshot below as an example, where it’s easy to see that the host system is running Ubuntu, despite Nmap reporting that it is not sure what the OS could be.
The same technique can be also used for all over the WAN remote hosts. Scanning for OS version on a remote host can be quite handy to you as an administrator. On the other hand, this technique can also be abused by hackers. They can target any host with their exploitation attack based on quite accurate information of a running OS and its patch level. Let this be just a quick reminder for all of us to keep all our systems up to date.