How do I determine the operating system used by a remote computer?

This tip will tell you how to use the NMAP command to determine which operating system the remote computer is running on. If you want to create a list of your local area network hosts, or you don't know what system is running behind some local or remote IP address, you'll need some hints, and this technique may be helpful. Using the Nmap command to accomplish this task does not mean that you can identify the remote operating system 100% accurately, but the nmap will certainly provide you with some fairly useful inferences.

Simply scan your local network

When an attempt is made to determine the operating system of a remote host using Nmap, Nmap is inferred based on the following aspects, such as the open and closed state of the port that is installed by default on the operating system, and the operating system fingerprint that has been submitted by other users to the NMAP database; MAC address and so on.

If you don't know which IP addresses are active in your network, you can try scanning the entire subnet first. For example, here I will scan the local subnet 10.1.1.*:

# nmap-sp 10.1.1.* starting nmap 6.00 (http://nmap.org) at 2013-01-08 08:14 EST nmap Scan-for-10.1.1.1 Host is U P (0.0026s latency). MAC address:c4:7d:4f:6f:3e:d2 (Cisco Systems) Nmap scan the "for 10.1.1.11" Host is up. Nmap Scan the 10.1.1.13 Host is up (0.0020s latency). MAC Address:00:13:02:30:ff:ec (Intel Corporate) Nmap scan the "for 10.1.1.14" Host is up (0.0022s latency). MAC address:a8:26:d9:ed:29:8e (HTC) Nmap scan for 10.1.1.250 Host are up (0.0041s latency). MAC Address:00:23:eb:71:e0:f6 (Cisco Systems) Nmap done:256 IP addresses (5 hosts up) scanned in 35.37 seconds

From the above output, we can see the current active IP address, but also to see some specific host related prompts.

Identify the remote host's operating system

In order for Nmap to make a decision, nmap at least need to find an open port and a shutdown port on the remote host. Based on the previous scan results, let's look at more about host 10.1.1.13 information:

# Nmap-o-SV 10.1.1.13

Output:

Nmap Scan the 10.1.1.13 Host is up (0.0073s latency). Not shown:995 closed ports PORT State SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (Protocol 2.0) 53/t CP Open Domain ISC BIND 9.7.3 80/tcp open http Apache httpd 2.2.16 ((Debian)) 111/tcp open Rpcbind (Rpcbind V2) 2 (RPC #10 0000) 3389/tcp Open ms-wbt-server xrdp MAC address:00:13:02:30:ff:ec (Intel Corporate) Device type:general Purpose Runni Ng:linux 2.6.X os cpe:cpe:/o:linux:kernel:2.6 os details:linux 2.6.32-2.6.35 network distance:1 Hop Service Info:os : Linux; Cpe:cpe:/o:linux:kernel OS and Service detection performed. Please have a incorrect results at http://nmap.org/submit/. Nmap done:1 IP Address (1 host up) scanned in 20.57 seconds

From the output above we can tell that this particular host is running a version of the Linux operating system. SSH based version, which is most likely the kernel version of the DEBIAN6 (squeeze), the exact kernel version is most likely between 2.6.32–2.6.35.

Conclusion

The same technology can also be used for all remote hosts on the WAN. For system administrators, scanning the operating system version of a remote host can be a lot of convenience. But on the other hand, the technology may be misused by hackers. They can implement their attacks against any host by using accurate information such as operating system types and patch levels. This also reminds us to keep updating the system patches at any time.