Here is a small tip on how to discover OS of the remote computer using nmap command. Nmap can be quite handy if you are trying to create an inventory list of your LAN hosts or you simply do not know what is running on certain local or remote IP address, and you need some hints. Using nmap for this kind of job does not mean that you can identify remote OS with 100% accuracy, but nmap certainly equips you with a solid educated guess.

Simply, scan of a local network

When trying to determine OS of the remote host using nmap, nmap will base its guess on various aspects such as open and closed ports of default OS installation, operating system fingerprints already submitted to nmap database by other users, MAC address etc.

If you do not know what IP addresses are active on your LAN, you can, first, try to scan the entire subnet. For example, here I will scan my local subnet 10.1.1.*:

# nmap -sP 10.1.1.*

Starting Nmap 6.00 ( ) at 2013-01-08 08:14 EST
Nmap scan report for
Host is up (0.0026s latency).
MAC Address: C4:7D:4F:6F:3E:D2 (Cisco Systems)
Nmap scan report for
Host is up.
Nmap scan report for
Host is up (0.0020s latency).
MAC Address: 00:13:02:30:FF:EC (Intel Corporate)
Nmap scan report for
Host is up (0.0022s latency).
MAC Address: A8:26:D9:ED:29:8E (HTC)
Nmap scan report for
Host is up (0.0041s latency).
MAC Address: 00:23:EB:71:E0:F6 (Cisco Systems)
Nmap done: 256 IP addresses (5 hosts up) scanned in 35.37 seconds

From the output above, we can see all currently active IP addresses and we already can see some hints on what any particular host maybe about.

Identify OS on remote host

For nmap to even make a guess, nmap needs to find at least 1 open and 1 closed port on a remote host. Using the previous scan results, let us find out more about the host

# nmap -O -sV


Nmap scan report for
Host is up (0.0073s latency).
Not shown: 995 closed ports
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
53/tcp open domain ISC BIND 9.7.3
80/tcp open http Apache httpd 2.2.16 ((Debian))
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
3389/tcp open ms-wbt-server xrdp
MAC Address: 00:13:02:30:FF:EC (Intel Corporate)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.32 - 2.6.35
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 20.57 seconds

From the output above, we can determine that this particular host is running some version of the Linux operating system. Based on the ssh version, it is most likely Debian 6 ( Squeeze ) with kernel version 2.6 and most likely the kernel version is somewhere between 2.6.32 - 2.6.35.


The same technique can be also used for all over the WAN remote hosts. Scanning for OS version on a remote host can be quite handy to you as an administrator. On the other hand, this technique can also be abused by hackers. They can target any host with their exploitation attack based on quite accurate information of a running OS and its patch level. Let this be just a quick reminder for all of us to keep all our systems up to date.