LabEx
Log InJoin For Free

Combine OS and Service Detection in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, we will learn how to combine operating system and service detection in Nmap to gather comprehensive information about a target machine. We will use Nmap's -O and -sV options to identify the OS and service versions running on a target IP address, such as 192.168.1.1.

The lab includes steps to run combined scans, specify target ports, add verbosity, save results to a file, and analyze the output in the Xfce terminal. We will also compare the combined scan results with individual scans to understand the benefits of this approach. Remember to only scan networks you own or have permission to scan.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/host_discovery("Host Discovery Techniques") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/output_formats -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} nmap/save_output -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} nmap/port_scanning -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} nmap/host_discovery -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} nmap/target_specification -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} nmap/verbosity -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} nmap/os_version_detection -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} nmap/service_detection -.-> lab-547089{{"Combine OS and Service Detection in Nmap"}} end

Run combined scan with nmap -O -sV 192.168.1.1

In this step, we will perform a combined scan using Nmap to identify the operating system and service versions running on a target machine. This is a powerful technique for gathering information about a network and its devices.

Nmap is a versatile network scanning tool. The options used in this step are:

  • -O: Enables operating system detection. Nmap attempts to determine the OS of the target machine by analyzing its network responses.
  • -sV: Enables service version detection. Nmap probes open ports to determine the application name and version number.
  • 192.168.1.1: This is the target IP address. Replace this with the actual IP address of the machine you want to scan. If you don't have a specific target, you can use your own machine's IP address or a test IP like scanme.nmap.org. However, for this lab, we will assume 192.168.1.1 is a valid target on your network. If it is not, you will need to substitute a valid IP address.

Before running the scan, it's important to understand that scanning networks without permission is illegal. Only scan networks that you own or have explicit permission to scan.

Now, let's execute the combined scan. Open your Xfce terminal.

  1. Execute the following command:
sudo nmap -O -sV 192.168.1.1

You will likely be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will show Nmap's progress as it probes the target machine. It will attempt to identify the operating system and the versions of services running on open ports.

Example output (the actual output will vary depending on the target machine):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu) OpenSSL 1.1.1)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds

This output shows that Nmap identified the target as running a Linux operating system and detected the versions of SSH, HTTP, and HTTPS services.

Scan specific ports with nmap -O -sV -p 22,80 127.0.0.1

In this step, we will focus on scanning specific ports using Nmap. This is useful when you want to narrow down your scan to only the ports that are most likely to be running interesting services.

The options used in this step are:

  • -O: Enables operating system detection.
  • -sV: Enables service version detection.
  • -p 22,80: Specifies the ports to scan. In this case, we are scanning port 22 (SSH) and port 80 (HTTP). You can specify a single port, a range of ports (e.g., 1-100), or a comma-separated list of ports.
  • 127.0.0.1: This is the loopback address, which refers to your own machine.

Scanning specific ports can significantly reduce the scan time and make it easier to identify the services running on a target machine.

Now, let's execute the scan. Open your Xfce terminal.

  1. Execute the following command:
sudo nmap -O -sV -p 22,80 127.0.0.1

You will likely be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will show Nmap's progress as it probes ports 22 and 80 on your local machine. It will attempt to identify the operating system and the versions of services running on those ports.

Example output (the actual output will vary depending on your system configuration):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS details: Linux 3.2 - 4.9
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

This output shows that Nmap identified OpenSSH on port 22 and Apache httpd on port 80. The OS detection also provides information about the Linux kernel version.

Add verbosity with nmap -v -O -sV 192.168.1.1

In this step, we will add verbosity to our Nmap scan. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding how Nmap is working.

The options used in this step are:

  • -v: Enables verbose mode. This option increases the amount of information displayed during the scan. You can use -vv for even more verbosity.
  • -O: Enables operating system detection.
  • -sV: Enables service version detection.
  • 192.168.1.1: This is the target IP address. As in the first step, replace this with the actual IP address of the machine you want to scan. If it is not, you will need to substitute a valid IP address.

Verbose mode can be useful for seeing exactly what Nmap is doing, including the probes it's sending and the responses it's receiving.

Now, let's execute the scan with verbosity. Open your Xfce terminal.

  1. Execute the following command:
sudo nmap -v -O -sV 192.168.1.1

You will likely be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will be more detailed than the previous scans. You will see information about the different stages of the scan, such as host discovery, port scanning, and service version detection.

Example output (the actual output will vary depending on the target machine and network conditions):

Starting Nmap 7.80 ( https://nmap.org )
NSE: Loaded 151 scripts for scanning.
Initiating Ping Scan at 14:35
Scanning 192.168.1.1 [4 ports]
Completed Ping Scan at 14:35, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:35
Completed Parallel DNS resolution of 1 host. at 14:35, 0.00s elapsed
Initiating SYN Stealth Scan at 14:35
Scanning 192.168.1.1 [1000 ports]
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 443/tcp on 192.168.1.1
Completed SYN Stealth Scan at 14:35, 0.12s elapsed (1000 total ports)
Initiating Service scan at 14:35
Scanning 3 services on 192.168.1.1
Completed Service scan at 14:35, 6.23s elapsed (3 services total)
Initiating OS detection (try #1) against 192.168.1.1
... (more output) ...
Nmap scan report for 192.168.1.1
Host is up (0.00088s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu) OpenSSL 1.1.1)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds

Notice the additional information about the scan phases, such as "Initiating Ping Scan" and "Initiating Service scan". This can be helpful for understanding the scan process and identifying any potential issues.

Save combined results with nmap -O -sV -oN os_service.txt 127.0.0.1

In this step, we will save the results of our Nmap scan to a file. This is useful for later analysis or for sharing the results with others.

The options used in this step are:

  • -O: Enables operating system detection.
  • -sV: Enables service version detection.
  • -oN os_service.txt: Specifies the output file and format. -oN specifies normal output, which is human-readable. The output will be saved to the file os_service.txt in your current directory (~/project).
  • 127.0.0.1: This is the loopback address, which refers to your own machine.

Saving the output to a file allows you to review the results later without having to rerun the scan. It also makes it easier to compare the results of different scans.

Now, let's execute the scan and save the results. Open your Xfce terminal.

  1. Execute the following command:
sudo nmap -O -sV -oN os_service.txt 127.0.0.1

You will likely be prompted for your password. Since the labex user has sudo privileges without a password, just press Enter.

The output will be displayed on the screen as usual, but it will also be saved to the file os_service.txt in your ~/project directory.

  1. To verify that the file was created and contains the scan results, use the cat command:
cat os_service.txt

This will display the contents of the os_service.txt file in the terminal. You should see the Nmap scan results, including the open ports, services, and operating system information.

Example output (the actual output will vary depending on your system configuration):

## Nmap 7.80 scan initiated Mon Aug  8 14:42:30 2022
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS details: Linux 3.2 - 4.9
Network Distance: 0 hops

## Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

You can also use the ls -l command to check the file size and modification date:

ls -l os_service.txt

This will show you the file's permissions, size, and last modification time.

Analyze OS and service output in Xfce terminal

In this step, we will analyze the output from the Nmap scan we saved in the previous step (os_service.txt). We'll focus on understanding the information Nmap provides about the target's operating system and running services.

The os_service.txt file contains a human-readable report of the scan results. Let's examine the key sections:

  1. Open Ports: This section lists the ports that are open on the target machine. Open ports indicate that a service is listening for connections on that port.

  2. Services: For each open port, Nmap attempts to identify the service that is running. This information is displayed in the "SERVICE" column.

  3. Versions: Nmap also tries to determine the version of the service. This information is displayed in the "VERSION" column. Knowing the service version is crucial for identifying potential vulnerabilities.

  4. OS Details: Nmap attempts to identify the operating system running on the target machine. This information is displayed in the "OS details" section.

Now, let's analyze the output in the Xfce terminal.

  1. Open the os_service.txt file using the cat command:
cat os_service.txt

Examine the output. You should see something similar to the following (the actual output will vary depending on your system configuration):

## Nmap 7.80 scan initiated Mon Aug  8 14:42:30 2022
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000047s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS details: Linux 3.2 - 4.9
Network Distance: 0 hops

## Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

  1. Analyzing the Output:

    • Port 22/tcp: This port is open and running the SSH service (OpenSSH 8.2p1 Ubuntu 4ubuntu0.4). SSH is used for secure remote access to the machine.
    • Port 80/tcp: This port is open and running the HTTP service (Apache httpd 2.4.41 ((Ubuntu))). HTTP is used for serving web pages.
    • OS Details: Nmap has identified the operating system as Linux (Linux 3.2 - 4.9).

By analyzing this output, you can gain valuable insights into the target machine's configuration and potential vulnerabilities. For example, knowing the service versions allows you to search for known vulnerabilities associated with those versions.

This step demonstrates how to interpret the output of an Nmap scan to identify open ports, running services, and the operating system. This information is essential for security assessments and penetration testing.

Compare with individual scans in Xfce terminal

In this step, we will compare the results of the combined scan (os_service.txt) with the results you would get from running individual scans for OS detection and service version detection. This will help you understand the benefits of using combined scans and how they can save time.

To do this effectively, we'll simulate individual scans by using grep to extract the relevant information from the os_service.txt file. This avoids the need to re-run the scans, saving time and resources.

  1. Simulate OS Detection Scan:

    We can simulate an OS detection scan by searching for the "OS details" section in the os_service.txt file.

    Execute the following command:

grep "OS details" os_service.txt

This will display the line containing the OS details, similar to:

OS details: Linux 3.2 - 4.9

  1. Simulate Service Version Detection Scan:

    We can simulate a service version detection scan by searching for lines containing service and version information.

    Execute the following command:

grep -E "[0-9]+/tcp open" os_service.txt

This command uses grep -E to enable extended regular expressions. The pattern [0-9]+/tcp open searches for lines that start with a number (representing the port number), followed by "/tcp open". This will extract the lines containing service and version information, similar to:

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

  1. Compare the Results:

    Now, compare the output from the grep commands with the full output in os_service.txt. You'll notice that the combined scan provides all the same information in a single scan.

    The combined scan (nmap -O -sV) is more efficient because it performs both OS detection and service version detection in a single pass. This reduces the overall scan time and network traffic.

In summary, this step demonstrates how to compare the results of a combined Nmap scan with the results you would get from running individual scans. By using combined scans, you can save time and resources while still obtaining comprehensive information about the target.

Summary

In this lab, we performed combined OS and service version detection using Nmap. The key takeaway is using the -O and -sV flags together to identify both the operating system and the versions of services running on a target machine. This provides a more comprehensive understanding of the target's configuration.

We also learned how to specify target IP addresses, add verbosity with the -v flag, and save scan results to a file using the -oN option. Furthermore, we practiced analyzing the output in the Xfce terminal and comparing the results with individual scans to understand the combined scan's effectiveness.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner