LabEx
Log InJoin For Free

Identify Operating Systems with Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to identify operating systems using Nmap. The lab covers various Nmap commands for OS detection, including running basic OS scans, enabling guess mode, combining OS and port scans, refining scans, and exporting results. You'll execute commands like nmap -O <target_ip> in the Xfce terminal and view the OS details in the output.

These hands - on steps will help you gain practical skills in using Nmap to detect the operating systems of target machines, with examples demonstrating how Nmap analyzes responses to provide OS information.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/basic_syntax("Basic Command Syntax") nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") subgraph Lab Skills nmap/basic_syntax -.-> lab-530180{{"Identify Operating Systems with Nmap"}} nmap/output_formats -.-> lab-530180{{"Identify Operating Systems with Nmap"}} nmap/save_output -.-> lab-530180{{"Identify Operating Systems with Nmap"}} nmap/port_scanning -.-> lab-530180{{"Identify Operating Systems with Nmap"}} nmap/os_version_detection -.-> lab-530180{{"Identify Operating Systems with Nmap"}} end

Run OS detection with nmap -O 192.168.1.1

In this step, we will use Nmap to perform OS detection on a target machine. OS detection is a technique used to identify the operating system running on a remote host. Nmap sends a series of specially crafted packets to the target and analyzes the responses to determine the OS.

Before we begin, let's understand the basic syntax of the command we'll be using:

nmap -O <target_ip>
  • nmap: This is the command-line tool we're using.
  • -O: This option tells Nmap to enable OS detection.
  • <target_ip>: This is the IP address of the target machine you want to scan. In this case, it's 192.168.1.1.

Now, let's execute the command to perform OS detection on the target machine with IP address 192.168.1.1. Open your Xfce terminal and type the following command:

nmap -O 192.168.1.1

After running the command, Nmap will send various probes to the target machine and analyze the responses. The output will display the OS details if Nmap is successful in identifying it. The output might look something like this (the exact output will vary depending on the target OS):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
80/tcp open  http
OS details: Linux 3.2 - 4.9
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

In the above example, Nmap has identified the target machine as running a Linux operating system. The output also provides details about the kernel version.

If Nmap is unable to determine the exact OS, it might provide a list of possible OS candidates. In some cases, Nmap might not be able to detect the OS at all. This can happen if the target machine is behind a firewall or if the OS is configured to hide its identity.

Enable guess with nmap -O --osscan-guess 127.0.0.1

In this step, we will use Nmap to perform OS detection with the --osscan-guess option on the localhost (127.0.0.1). This option forces Nmap to be more aggressive in its OS detection attempts. When Nmap is unsure about the OS, this option can help to make a more educated guess.

Let's break down the command:

nmap -O --osscan-guess 127.0.0.1
  • nmap: This is the command-line tool we're using.
  • -O: This option tells Nmap to enable OS detection.
  • --osscan-guess: This option tells Nmap to guess the OS more aggressively.
  • 127.0.0.1: This is the IP address of the target machine you want to scan, which is the localhost in this case.

Now, let's execute the command to perform OS detection with the --osscan-guess option on the localhost. Open your Xfce terminal and type the following command:

nmap -O --osscan-guess 127.0.0.1

After running the command, Nmap will send various probes to the target machine and analyze the responses. The output will display the OS details if Nmap is successful in identifying it. Because we are scanning localhost, the OS detection should be relatively accurate. The output might look something like this (the exact output will vary depending on your system):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
631/tcp  open  ipp
9929/tcp open  nping-echo

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.23 seconds

Note that the output might not always explicitly state the OS name. Sometimes, it will only show open ports and other information. However, Nmap still performs OS detection in the background, and the --osscan-guess option increases the likelihood of a more accurate result.

Combine OS and ports with nmap -O -p 1-100 192.168.1.1

In this step, we will combine OS detection with port scanning using Nmap. This allows us to identify the operating system of a target machine and also discover which ports are open on that machine. By combining these two techniques, we can gain a more comprehensive understanding of the target system.

Let's break down the command:

nmap -O -p 1-100 192.168.1.1
  • nmap: This is the command-line tool we're using.
  • -O: This option tells Nmap to enable OS detection.
  • -p 1-100: This option tells Nmap to scan ports 1 through 100.
  • 192.168.1.1: This is the IP address of the target machine you want to scan.

Now, let's execute the command to perform OS detection and port scanning on the target machine with IP address 192.168.1.1. Open your Xfce terminal and type the following command:

nmap -O -p 1-100 192.168.1.1

After running the command, Nmap will send various probes to the target machine and analyze the responses. The output will display the OS details and a list of open ports. The output might look something like this (the exact output will vary depending on the target OS and open ports):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
OS details: Linux 3.2 - 4.9
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

In the above example, Nmap has identified the target machine as running a Linux operating system and has found that ports 22 (SSH) and 80 (HTTP) are open.

By combining OS detection and port scanning, you can quickly identify the operating system and services running on a target machine. This information can be valuable for security assessments and network troubleshooting.

View OS details in Xfce terminal

In the previous steps, you executed Nmap commands to detect the operating system of target machines. The results of these scans were displayed directly in the Xfce terminal. This step focuses on understanding how to interpret the OS details presented in the terminal output.

When Nmap successfully identifies the operating system, it will typically display information such as the OS name, version, and sometimes even the kernel version. It might also provide a CPE (Common Platform Enumeration) identifier, which is a standardized naming scheme for software and hardware.

Let's revisit an example output from a previous step:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
OS details: Linux 3.2 - 4.9
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

In this example, the line OS details: Linux 3.2 - 4.9 indicates that Nmap has detected a Linux operating system with a kernel version between 3.2 and 4.9. The Device type: general purpose line suggests that the device is a standard computer. The Running: Linux 3.X|4.X line provides similar information. The OS CPE lines provide more specific identifiers for the operating system and kernel.

If Nmap is unable to determine the exact OS, it might provide a "guess" based on the available information. In such cases, the output might include a statement like "OS details: Unknown" or "OS details: Possibly Windows." The --osscan-guess option used in a previous step can help improve the accuracy of these guesses.

To view the OS details, simply examine the output of the Nmap commands you executed in the previous steps. The OS information will typically be displayed near the top of the output, after the port scan results.

Remember that OS detection is not always perfect, and Nmap's results should be interpreted with caution. Factors such as firewalls and network configurations can interfere with OS detection.

This step doesn't require any new commands to be executed. It's about understanding and interpreting the output you've already generated.

Refine scan with nmap -O --osscan-limit 192.168.1.1

In this step, we will refine our OS detection scan using the --osscan-limit option. This option tells Nmap to only try OS detection against hosts that have at least one open and one closed TCP port. This can significantly speed up the scan and reduce the likelihood of false positives, especially when scanning large networks.

The --osscan-limit option is useful because OS detection relies on analyzing the responses to various TCP probes. If a host only has open ports or only has closed ports, Nmap may not be able to gather enough information to accurately determine the operating system.

Let's execute the command to perform a refined OS detection scan on the target machine with IP address 192.168.1.1. Open your Xfce terminal and type the following command:

nmap -O --osscan-limit 192.168.1.1

After running the command, Nmap will perform OS detection, but only on hosts that meet the criteria of having at least one open and one closed TCP port. The output will display the OS details if Nmap is able to identify the operating system. The output might look something like this (the exact output will vary depending on the target OS and open/closed ports):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
OS details: Linux 3.2 - 4.9
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.23 seconds

In this example, Nmap has identified the target machine as running a Linux operating system. The "Not shown: 999 closed ports" line indicates that Nmap only scanned the open port (22) and determined the OS based on that and the closed ports it found.

Using the --osscan-limit option can make your OS detection scans more efficient and accurate, especially when dealing with large networks or hosts with unusual port configurations.

Export results with nmap -O -oN os.txt 127.0.0.1

In this step, we will learn how to export the results of an Nmap OS detection scan to a file. This is useful for later analysis, reporting, or integration with other tools. We will use the -oN option, which specifies that the output should be in "normal" format.

The os.txt filename is arbitrary; you can choose any name you like, but it's good practice to use a descriptive name. The output file will be created in your current working directory, which is ~/project.

To export the results of the OS detection scan to a file, open your Xfce terminal and type the following command:

nmap -O -oN os.txt 127.0.0.1

This command will perform an OS detection scan on the target machine with IP address 127.0.0.1 (localhost) and save the results in normal format to the file os.txt in your ~/project directory.

After the scan is complete, you can view the contents of the os.txt file using the cat command:

cat os.txt

The output will display the Nmap scan results, including the OS details, in a human-readable format. The output might look something like this (the exact output will vary depending on the target OS):

## Nmap 7.80 scan initiated Tue Oct 27 10:20:00 2023 as: nmap -O -oN os.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000043s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
OS details: Linux 3.2 - 4.9
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
## Nmap done at Tue Oct 27 10:20:05 2023 -- 1 IP address (1 host up) scanned in 5.23 seconds

You can also use a text editor like nano to view or modify the os.txt file:

nano os.txt

This will open the os.txt file in the nano text editor, allowing you to examine the results in more detail.

Exporting Nmap results to a file is a valuable skill for documenting your findings and sharing them with others.

Summary

In this lab, participants learn to use Nmap for operating system detection. They start by running basic OS detection with the command nmap -O <target_ip>, using 192.168.1.1 as an example. They also learn to enable guessing with nmap -O --osscan-guess, combine OS and port scanning with nmap -O -p 1-100, refine scans with nmap -O --osscan-limit, and export results to a text file with nmap -O -oN os.txt. Additionally, they view OS details in the Xfce terminal.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner