OS Detection And Guessing With NMAP


In this article, I’m going to explain the different variations to scan an OS with NMAP.

Nmap offers the following OS- Detection features:

option(s) description
-O Enables OS Detection
--osscan-limit Limits OS detection to promising target
--osscan-guess; --fuzzy Guesses OS detection results
--max-os-tries Sets the maximum number of OS detection tries against a target

Enabling OS detection


nmap -O <target>

This option tells nmap to detect the OS of the target(s) using TCP/IP stack fingerprinting. It may not always work, but on the official nmap man page it says:

If Nmap is unable to guess the OS of a machine, and conditions are good (e.g. at least oneopen port and one closed port were found), Nmap will provide a URL you can use to submit the fingerprint if you know (for sure) the OS running on the machine. By doing this you contribute to the pool of operating systems known to Nmap and thus it will be more accurate for everyone.

Ref, more info

Limit OS Detection to Promising Targets


nmap -O --osscan-limit <target>

With this option nmap only tries to guess the OS of hosts that have at least one open TCP port. Otherwise it isn’t able to guess the perfect match.

Can be useful if you need to scan a wide range of hosts and are under time pressure (May it be a deadline or whatevs.)

‘Aggressive’ guessing


nmap --osscan-guess <target>
nmap --fuzzy <target>

Does practically the oposite of the option discussed above. With this option you can try a more “aggressive” approach to guessing the OS.
Nmap will print out a couple of guesses and a percentage on how much it mached.

I tried this option on a Windows 10 Target and it gave me Windows XP SP2 as result.

I’m not sure if this is a sign that I should update nmap, or if the guesses are not accurate. Or! The fingerprint is still the same for Win10…

Limit number of tries


nmap --max-os-tries <num> <target>

Nmap performs multiple attempts to gather OS information if the attempts fail. By default it tries it 5 times but you can change this number.

If you lower the value, you can speed up the scan, but you could eventually miss out on some information.

On the other hand, raising this number will lead to slower but more sophisticated scans. But this is rarely done.


More NMAP articles