LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Easy Operating System Detection with nmap

nmapRecently I was doing some discovery at work of some systems we inherited.  I didn’t yet have access but wanted to determine what type of OS was involved so I could coordinate with the proper teams.

You can often guess just by determining what ports are open, but the most efficient tool is the venerable nmap utility.  Using the -O (OS detection) and -sV (check ports to determine service/version info) flags, you get a complete report.

Under the covers, nmap is running through a set of heuristics to determine what OS is most likely, based on what ports are open and unique “fingerprinting” of the device’s IP stack.  nmap maintains a database of over 2,000 IP fingerprints.  Different operating systems will set different values for things like initial TTL, max segment size, window scaling value, etc. and by analyzing packets, nmap can make an educated guess of what kind of OS is running.

It’s not 100% and nmap lacks the ability to say “this is definitely Windows Server 2012 with Service Pack 2 applied” or “this is definitely Debian 9 and not Debian 10” because operating systems in the same family often us the same IP stack.  But it is often an excellent start towards identification.

For example, here is output of a Windows Server which is also running MySQL (all examples in this article have been slightly reformatted in terms of line breaks to fit the site’s theme):

# nmap -O -sV x.x.x.x
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-17 11:02 PDT
Nmap scan report for x.x.x.x
Host is up (0.22s latency).
Not shown: 994 closed tcp ports (reset)


PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
2701/tcp open  cmrcservice   Microsoft Configuration Manager Remote Control service (CmRcService.exe)
3306/tcp open  mysql         MySQL 5.1.60-community-log
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Aggressive OS guesses: Microsoft Windows Server 2016 (93%), 
Microsoft Windows Server 2008 R2 SP1 (92%), Microsoft Windows Server 2012 R2 (91%), 
Microsoft Windows 10 1607 (90%), Microsoft Windows Server 2008 R2 (90%), 
Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or 
Windows Server 2012 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8 (87%), 
Microsoft Windows Server 2008 R2 SP1 or Windows 8 (87%), Microsoft Windows 7 SP1 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.77 seconds

Here’s what a Debian 9 server I scanned looks like:

# time nmap -O -sV x.x.x.x
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-17 14:52 PDT
Nmap scan report for x.x.x.x
Host is up (0.0018s latency).
Not shown: 992 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        nginx 1.10.3
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: EXAMPLE)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: EXAMPLe)
587/tcp  open  smtp        Postfix smtpd
3306/tcp open  mysql       MySQL 5.5.5-10.1.48-MariaDB-0+deb9u2
MAC Address: MM:MM:MM:MM:MM:MM (Asustek Computer)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts:  example.example.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds

And it’s really just that simple.  Next time you have a system on your network but are not sure what it is, try nmap’s OS detection tool to get a pretty good guess.

 

raindog308

1 Comment

  1. raj:

    the top guess on my webserver is “Netgear DG834G WAP or Western Digital WD TV media player (88%)” lol

    March 12, 2022 @ 11:11 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *