In this article, I’m going to explain the different variations to use nmap for OS detection.
Nmap offers the following OS- Detection features:
||Enables OS Detection|
||Limits OS detection to promising target|
||Guesses OS detection results|
||Sets the maximum number of OS detection tries against a target|
Enabling nmap OS detection
nmap -O <target>
This option tells nmap to detect the OS of the target(s) using TCP/IP stack fingerprinting. It may not always work, but on the official nmap man page it says:
If Nmap is unable to guess the OS of a machine, and conditions are good (e.g. at least oneopen port and one closed port were found), Nmap will provide a URL you can use to submit the fingerprint if you know (for sure) the OS running on the machine. By doing this you contribute to the pool of operating systems known to Nmap and thus it will be more accurate for everyone.
Limit OS Detection to Promising Targets
nmap -O --osscan-limit <target>
With this option nmap only tries to guess the OS of hosts that have at least one open TCP port. Otherwise it isn’t able to guess the perfect match.
Can be useful if you need to scan a wide range of hosts and are under time pressure (May it be a deadline or whatevs.)
nmap --osscan-guess <target>
nmap --fuzzy <target>
Does practically the oposite of the option discussed above. With this option you can try a more “aggressive” approach to guessing the OS.
Nmap will print out a couple of guesses and a percentage on how much it mached.
I tried this option on a Windows 10 Target and it gave me
Windows XP SP2 as result.
I’m not sure if this is a sign that I should update nmap, or if the guesses are not accurate. Or! The fingerprint is still the same for Win10…
Limit number of tries
nmap --max-os-tries <num> <target>
Nmap performs multiple attempts to gather OS information if the attempts fail. By default it tries it 5 times but you can change this number.
If you lower the value, you can speed up the scan, but you could eventually miss out on some information.
On the other hand, raising this number will lead to slower but more sophisticated scans. But this is rarely done.