How to determine the operating system used by the remote computer

This tips will show you how to use the nmap command to determine the operating system running on a remote computer. If you want to create a list of your LAN hosts, or you do not know what system is running behind some local or remote IP addresses, you need some tips.

This tips will show you how to use the nmap command to determine the operating system running on a remote computer. If you want to create a list of your LAN hosts, or you do not know what system is running behind some local or remote IP addresses, you need some tips, at this time, this technique may be very helpful. Using the nmap command to complete this task does not mean that you can accurately identify the remote operating system by 100%, but nmap will certainly provide you with some useful inference results.

Simple scanning of local networks

When you try to use nmap to determine the operating system of the remote host, NMAP will infer based on the following aspects, for example, based on the open and closed status of the port installed by default in the operating system; operating system fingerprints and MAC addresses that have been submitted by other users to the nmap database.

If you do not know which IP addresses are active in your network, you can first try to scan the entire subnet. For example, here I will scan the local subnet 10.1.1 .*:

# nmap -sP 10.1.1.*Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-08 08:14 ESTNmap scan report for 10.1.1.1Host is up (0.0026s latency).MAC Address: C4:7D:4F:6F:3E:D2 (Cisco Systems)Nmap scan report for 10.1.1.11Host is up.Nmap scan report for 10.1.1.13Host is up (0.0020s latency).MAC Address: 00:13:02:30:FF:EC (Intel Corporate)Nmap scan report for 10.1.1.14Host is up (0.0022s latency).MAC Address: A8:26:D9:ED:29:8E (HTC)Nmap scan report for 10.1.1.250Host is up (0.0041s latency).MAC Address: 00:23:EB:71:E0:F6 (Cisco Systems)Nmap done: 256 IP addresses (5 hosts up) scanned in 35.37 seconds

From the above output, we can see all the currently active IP addresses, as well as some prompts related to specific hosts.

Identify the operating system of the remote host

To enable nmap to make a judgment, NMAP must find at least one open port and one closed port on the remote host. Based on the preceding scan results, let's take a look at more information about the host 10.1.1.13:

# nmap -O -sV 10.1.1.13

Output:

Nmap scan report for 10.1.1.13Host is up (0.0073s latency).Not shown: 995 closed portsPORT     STATE SERVICE              VERSION22/tcp   open  ssh                  OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)53/tcp   open  domain               ISC BIND 9.7.380/tcp   open  http                 Apache httpd 2.2.16 ((Debian))111/tcp  open  rpcbind (rpcbind V2) 2 (rpc #100000)3389/tcp open  ms-wbt-server        xrdpMAC Address: 00:13:02:30:FF:EC (Intel Corporate)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:kernel:2.6OS details: Linux 2.6.32 - 2.6.35Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:kernelOS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 20.57 seconds

From the above output, we can judge that a specific host is running a certain version of Linux. The SSH-based version is Debian 6 (Squeeze), which is the most likely kernel version 2.6. The exact kernel version is most likely between 2.6.32-2.6.35.

Conclusion

The same technology can also be used for all remote hosts on the wide area network. For the system administrator, scanning the operating system version of the remote host can bring a lot of convenience. On the other hand, this technology may also be abused by hackers. They can use the accurate information such as the operating system type and patch level to launch attacks against any host. This reminds us to keep the system Updated at any time.

Original article: lubos rendek translation: geek fan-Xiao Xiang