Operating System and Service Detection - Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Nmap 6 Cookbook: The Fat Free Guide to Network Security Scanning (2015)

Section 6: Operating System and Service Detection

Overview

One of Nmap’s most remarkable (and incredibly useful) features is its ability to detect operating systems and services on remote systems. This feature analyzes responses from scanned targets and attempts to identify the host’s operating system and installed software versions.

The process of identifying a target’s operating system and software versions is known as TCP/IP fingerprinting. Although it is not an exact science, Nmap developers have taken great care in making TCP/IP fingerprinting an accurate and reliable feature. This chapter will cover the options used to control this feature and also discusses how to troubleshoot version scans and submit TCP/IP fingerprints for inclusion in the Nmap fingerprint database.

Summary of features covered in this section:

-O
Operating System Detection

--osscan-guess
Attempt to Guess an Unknown OS

-sV
Service Version Detection

--version-trace

Troubleshoot Version Scans

Operating System Detection

The -O parameter enables Nmap’s operating system detection feature.

Usage syntax: nmap -O [target]

# nmap -O 10.10.4.40

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:20 CST

Nmap scan report for 10.10.4.40

[...]

MAC Address: 00:60:E0:55:CD:BC (Axiom Technology CO.)

Device type: general purpose

Running: Microsoft Windows XP|2003

OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2

OS details: Microsoft Windows XP SP2 or Windows Server 2003 SP1 or SP2

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 6.47 seconds

Output of Nmap’s operating system detection feature

As demonstrated above, Nmap is (in most cases) able to identify the operating system on a remote target. Operating system detection is performed by analyzing responses from the target for a set of predictable characteristics that can be used to identify the type of OS on the remote system.

If Nmap is unable determine the OS, it will provide an explanation as to why. If conditions are right, Nmap will display a fingerprint for any unknown systems. You can also force Nmap to guess, which will try to find a close match. These scenarios are discussed next in this chapter.

Tip: In order for OS detection to work properly there must be at least one open and one closed port on the target system. When scanning multiple targets, the --osscan-limit option can be combined with -O to instruct Nmap not to OS scan hosts that do not meet this criteria. The --max-os-tries option can also be used to speed up scanning by specifying the number of tries Nmap makes to identify an operating system before it gives up (the default is 5).

Submitting TCP/IP Fingerprints

If Nmap is unable to determine the operating system on a target, it will provide a fingerprint that can be submitted to Nmap’s OS database at nmap.org/submit/. The example below demonstrates Nmap’s output in this scenario.

# nmap -O 10.10.4.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:11 CST

Nmap scan report for 10.10.4.1

Host is up (0.00036s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

22/tcp open ssh

MAC Address: 00:13:3B:10:54:0E (Speed Dragon Multimedia Limited)

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=6.47%E=4%D=1/15%OT=22%CT=1%CU=37714%PV=Y%DS=1%DC=D%G=Y%M=00133B%

[...]

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 8.68 seconds

TCP/IP fingerprint generated by Nmap

The output section labeled TCP/IP fingerprint provides a long string of characters that contains information needed to submit your discovery. By submitting the fingerprint generated and correctly identifying the target system’s operating system, you can help improve the accuracy of Nmap’s OS detection feature in future releases.

Attempt to Guess an Unknown Operating System

If Nmap is unable to accurately identify the OS, you can force it to guess by using the --osscan-guess option.

Usage syntax: nmap -O --osscan-guess [target]

# nmap -O --osscan-guess 10.10.4.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-26 13:05 CST

Nmap scan report for 10.10.4.1

Host is up (0.00043s latency).

Not shown: 999 closed ports

PORT STATE SERVICE

22/tcp open ssh

MAC Address: 00:13:3B:10:54:0E (Speed Dragon Multimedia Limited)

Aggressive OS guesses: Netgear DG834G WAP or Western Digital WD TV media player (96%), Linux 2.6.32 (95%), Linux 2.6.32 - 3.9 (95%), Linux 3.8 (93%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6) (92%), Linux 2.6.26 - 2.6.35 (92%), Linux 2.6.32 - 2.6.35 (92%), Linux 2.6.32 - 3.2 (92%)

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

[...]

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 16.59 seconds

Nmap operating system guess output

The example above displays a list of possible matches for the target’s operating system. Each guess is listed with a percentage of confidence Nmap has in the supplied match. While Nmap was unable to determine the exact OS on the target, the results indicate it is likely some sort of Linux based system.

Tip: The --fuzzy option is a synonym that can be used as an easy to remember shortcut for the --osscan-guess feature.

Service Version Detection

The -sV parameter enables Nmap’s service version detection feature.

Usage syntax: nmap -sV [target]

# nmap -sV 10.10.4.70

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:32 CST

Nmap scan report for 10.10.4.70

Host is up (0.00019s latency).

Not shown: 993 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 6.4 (protocol 2.0)

80/tcp open http Jetty 8.1.10.v20130312

443/tcp open ssl/http Jetty 8.1.10.v20130312

513/tcp filtered login

514/tcp filtered shell

3260/tcp open iscsi?

5432/tcp open postgresql PostgreSQL DB 9.1.5 - 9.1.9

MAC Address: 0C:C4:7A:0B:AB:40 (Unknown)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 133.26 seconds

Output of Nmap’s service version detection feature

The -sV option will attempt to identify the application and version for any open ports it detects. The results of the above scan show the version information for services that Nmap was successfully able to identify.

Note: Nmap version detection purposely skips some problematic ports (specifically 9100-9107). These ports are associated with network printers and may cause them to print random garbage when probed for version information. This can be overridden by combining the --allports parameter with -sV which instructs Nmap not to exclude any ports from version detection.

Tip: The --version-intensity option can be used with a -sV scan to specify the level of intensity for version scans. The default --version-intensity number is 7. Setting a lower intensity like 1 can speed up scans but will miss a number of identifiable services. A high number like 9 will attempt to detect more services, but will take longer to complete.

Troubleshooting Version Scans

The --version-trace option can be enabled to display verbose version scan activity.

Usage syntax: nmap -sV --version-trace [target]

$ nmap -sV --version-trace 10.10.4.1

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-15 13:36 CST

PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)

--------------- Timing report ---------------

hostgroups: min 1, max 100000

rtt-timeouts: init 1000, min 100, max 10000

max-scan-delay: TCP 1000, UDP 1000, SCTP 1000

parallelism: min 0, max 0

max-retries: 10, host-timeout: 0

min-rate: 0, max-rate: 0

---------------------------------------------

NSE: Using Lua 5.2.

NSE: Script Arguments seen from CLI:

NSE: Loaded 23 scripts for scanning.

Overall sending rates: 6172.84 packets / s.

mass_rdns: Using DNS server 10.10.4.46

mass_rdns: 0.02s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]

DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]

Overall sending rates: 30639.13 packets / s.

NSOCK INFO [0.2680s] nsi_new2(): nsi_new (IOD #1)

NSOCK INFO [0.2690s] nsock_connect_tcp(): TCP connection requested to 10.10.4.1:22 (IOD #1) EID 8

NSOCK INFO [0.2690s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.10.4.1:22]

Service scan sending probe NULL to 10.10.4.1:22 (tcp)

NSOCK INFO [0.2690s] nsock_read(): Read request from IOD #1 [10.10.4.1:22] (timeout: 6000ms) EID 18

NSOCK INFO [0.2870s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.10.4.1:22] (41 bytes): SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2..

Service scan match (Probe NULL matched with NULL line 3072): 10.10.4.1:22 is ssh. Version: |||protocol 2.0|

NSOCK INFO [0.2880s] nsock_read(): Read request from IOD #1 [10.10.4.1:22] (timeout: 5982ms) EID 26
[...]

Version scan trace output

The --version-trace option can be helpful for debugging problems or to gain additional information about the target system. When submitting new fingerprints or corrections, the Nmap developers may ask you to provide this information to help improve the version database.

For more information about troubleshooting and debugging Nmap see Section 10.

Tip: Combine the | more pager at the end of the command to improve readability when doing version tracing. You can also redirect the output to a file by appending >filename.txt to the end of the command.