Open in app

Sign in

Write

Sign in

[Lesson 8]Network Vulnerability and Scanning: Operating System Detection in Nmap

Koay Yong Cett
5 min readMay 23, 2020

--

Photo by Markus Winkler on Unsplash

First, one of the Nmap’s best known features is the remote Operating System Detection using the TCP/IP stack fingerprinting 😮 Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the response.

Dozens of test is performing on the target machine/system:

  • TCP ISN sampling
  • TCP options support and ordering
  • IP ID sampling
  • Initial window size check

Then, Nmap compares the results to its “nmap-os-dbdatabase which contain more than 2600 known OS fingerprints and print outs any OS details when there is a match.

Photo by George Prentzas on Unsplash

Each fingerprint includes a free-form textual description of the OS and a classifications which provides:

  • Vendor name (eg. Sun)
  • underlying OS (eg. Solaris)
  • OS generation (eg.10)
  • device type (general purpose, router, switch, game console, etc)

Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6. OS detection is far more effective if at least one open and one closed TCP port are found.

Let’s see the OS detection (-O) in action in Linux machine:

We have to use OS detection with one of the port detection techniques and SYN scan will be used in this demonstration.

Kali Linux Machine

Let’s create a nmap command to scan the target system which is metasploitable machine:

  • nmap is the application itself
  • -n to avoid DNS resolution
  • -sS is SYN Scan
  • Target IP for the Metasploitable machine
  • --top-ports 100 for the top 100 ports to be scanned
  • -O is for OS detection

Results of the OS detection(Kali Linux):

  • Running: General purpose device
  • OS CPE: cpe:/o:linux:linux_kernel:2.6
  • OS details: 2.6.9–2.6.33
Metasploitable machine

The actually OS version is 2.6.24 for the Metasploitable machine.

More aggressive Nmap Scan to have a more accurate result:

We can use a --osscan-guess parameter with the OS detection (-O).

Let’s see the OS detection (-O) in action in Windows machine:

Before that, let’s install windows 10 in virtual box:

Download the window 10 VM from the website: https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Unzip the folder and import the downloaded ova file downloaded.

Change the network to Natnetwork to ensure that the window machine stay in the same network as the Kali Linux machine.

Start the window machine and open the command prompt to find out the IP address with command “ipconfig”.

Let’s start the OS detection in windows 10:

First, we try the normal ping command in the terminal to ping the windows machine. The window system does not responding to the ping requests or we cannot reach the system.

Second, we perform an Nmap ping scan to find out whether the machine is up or not. As a result, the window machine is up running. Thus, we are unable to reach the system.

Now, I want to scan the top 10 TCP ports of the systems with SYN Scan. The reason parameter is added to display the reasons of the results. All the port scanned is filtered as there are no responses from them.

The OS detection is added to the latest Nmap Query and rerun it.In the result, Nmap cannot find the OS details as it does not have a result set to probe or interrogate.

Enable the Internet Information Services to host a default website of IIS.

Start the Internet Information Services(IIS) Manager to start to host the default website of IIS.

Open the web browser to reach the website by inserting the IP address of the system into the address bar. Now, the web service is up.

Now, we test whether if we can reach the IIS website from Kali Linux machine.

If the website is not reachable in Kali machine’s web browser, then you probably need to navigate to the window defender firewall and allow the HTTP Services. This allows the Kali machine to reach the Port 80 of the Windows machine.

Run the SYN Scan for the Windows machine(IP address:10.0.2.5) top 10 ports. Here, we notice that the port 80 is now open.

Now, we reply the scan with OS detection option. Now, we have the OS detection result. First, Nmap warn us about the OS Scan is unreliable as nmap couldn’t find at least 1 open and 1 closed port to probe from. Here, we only able to find out that 85% is Windows XP SP2. Thus, we only know the guessing of the Window Machine OS. However, the result is not accurate.

Information related to OS Detection in NMAP: https://nmap.org/book/man-os-detection.html/https://nmap.org/book/osdetect.html

Information related to the Internet Information Service: https://www.howtogeek.com/112455/how-to-install-iis-8-on-windows-8/

Thanks for reading 😄

Nmap
Networking
Scanning
Os Detection
Education

--

--

Koay Yong Cett
Koay Yong Cett

Written by Koay Yong Cett

112 Followers
4 Following

Every stories I shared is based on my personal opinion. Interest in ethical hacking and penetration testing. Thank you.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams