topic Re: find out an OS from the remote machine using nmap in Operating System - Linux

find out an OS from the remote machine using nmap

'chris' — Mon, 24 Dec 2007 02:48:05 GMT

hi

howto find out an OS from the remote machine using nmap from CLI ?

kind regards
chris

Re: find out an OS from the remote machine using nmap

Steven Schweda — Mon, 24 Dec 2007 03:40:22 GMT

A Google search for "nmap" led directly to:

http://insecure.org/nmap/
http://insecure.org/nmap/docs.html

The Nmap project tries to defy the
stereotype of some open source software
being poorly documented by providing a
comprehensive set of documentation for
installing and using Nmap. [...]

http://insecure.org/nmap/man/

Of course, even the best documentation is of
little value if you don't _read_ it.

Re: find out an OS from the remote machine using nmap

'chris' — Mon, 24 Dec 2007 04:38:05 GMT

perhaps:

nmap -O [target ip]

but maybe an other program will be needed to encode the fingerprint.

Re: find out an OS from the remote machine using nmap

'chris' — Mon, 24 Dec 2007 05:01:34 GMT

I mean to read (decode) the fingerprint.

Re: find out an OS from the remote machine using nmap

Steven E. Protter — Mon, 24 Dec 2007 09:53:06 GMT

Shalom chris,

Hackers commonly try to use this technique to obtain OS information. Many systems if properly secured will not provide this informaiton. Internet exposed systems should not so easily expose themselves to this query.

SEP

Re: find out an OS from the remote machine using nmap

'chris' — Wed, 26 Dec 2007 02:22:41 GMT

sinfp seems to be nice.

# sinfp -i hotmail.com -p 443 -C -V
P1: B11013 F0x12 W16384 O0204ffff M1460
P2: B11013 F0x12 W16384 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B00000 F0 W0 O0 M0
IPv4: Windows NT

*** File [sinfp4-127.0.0.1.anon.pcap] generation done.
*** Please send it to sinfp@gomor.org if you think this is not
*** the good identification, or if it is a new signature.
*** In this last case, please specify `uname -a' (or equivalent)
*** from the target host.

Re: find out an OS from the remote machine using nmap

'chris' — Wed, 26 Dec 2007 02:34:22 GMT

it's really very interesting that microsft uses on their download server linux:

# sinfp -i download.microsoft.com -p 443 -C -V
P1: B10113 F0x12 W5840 O0204ffff M1460
P2: B10113 F0x12 W5792 O0204ffff0402080affffffff4445414401030300 M1460
P3: B00000 F0 W0 O0 M0
IPv4: Linux 2.4.x, 2.6.x

*** File [sinfp4-127.0.0.1.anon.pcap] generation done.
*** Please send it to sinfp@gomor.org if you think this is not
*** the good identification, or if it is a new signature.
*** In this last case, please specify `uname -a' (or equivalent)
*** from the target host.

# ssh download.microsoft.com
The authenticity of host 'download.microsoft.com (195.49.93.202)' can't be established.
DSA key fingerprint is ee:33:bd:ac:7b:6e:bd:0b:60:6e:49:20:56:cb:00:d3.
Are you sure you want to continue connecting (yes/no)?

Re: find out an OS from the remote machine using nmap

'chris' — Wed, 26 Dec 2007 04:45:52 GMT

microsft download website it's outsourced at Akamai but anaway on linux.

Re: find out an OS from the remote machine using nmap

Jeeshan — Wed, 26 Dec 2007 06:46:07 GMT

HI chris

Run this command in linux to find out OS from CLI

#nmap -sT -O

Re: find out an OS from the remote machine using nmap

'chris' — Wed, 26 Dec 2007 07:31:47 GMT

thanks, but the nmap output is often a fingerprint:

OS:SCAN(V=4.20%D=12/26%OT=1%CT=23%CU=38968%PV=N%DS=8%G=Y%TM=477201E0%P=i386
OS:-portbld-freebsd6.2)SEQ(SP=105%GCD=1%ISR=107%TS=U)OPS(O1=M5B4%O2=M578%O3
OS:=M280%O4=M218%O5=M218%O6=M109)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=200
OS:0%W6=2000)ECN(R=Y%DF=N%T=47%W=2000%O=M5B4%CC=S%Q=RU)T1(R=Y%DF=N%T=47%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%T=47%W=2000%S=O%A=S+%F=ASF%O=M109%
OS:RD=0%Q=)T3(R=Y%DF=N%T=47%W=2000%S=O%A=O%F=ASF%O=M109%RD=0%Q=)T3(R=Y%DF=N
OS:%T=47%W=2000%S=O%A=S+%F=ASF%O=M109%RD=0%Q=)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=4
OS:0%TOS=0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=BD9D%RUL=G%RUD=G)IE(R=N)

knows someone howto read or decode nmap fingerprint using for example p0f ?

Re: find out an OS from the remote machine using nmap

dirk dierickx — Mon, 31 Dec 2007 10:32:15 GMT

that's because either the host you tried to scan has an OS that is not included yet in the 'database' of nmap,
or there were not enough ways to contact the host to get enough info to determine the correct OS.

what needs to be done in these cases is that you have to find out another way, and report it to the nmap developers. they will then add this fingerprint to the next release of nmap so it can be recognized from then on.

Re: find out an OS from the remote machine using nmap

Anshumali — Tue, 01 Jan 2008 10:02:37 GMT

Agree with SEP..
All: I doubt a single thing...if everyone starts putting the OS fingerprint at the development site and they keep on including it in next releases...somewhere it is defeating the purpose of securing your OS from possible attacks.

Re: find out an OS from the remote machine using nmap

dirk dierickx — Tue, 08 Jan 2008 08:02:53 GMT

security through obscurity doesn't work.

also, it's a tool, can be used for good or bad. if you like to highlight the bad usage that is _your_ way of looking at it.

it is a usefull tool if used for good, and that is where _i_ would like to put the highlight on.

a knife can be used for good or for bad, but for me, a knife is a useful good tool. i'm sure there are people who think knifes are all bad.

if your security measures consist on other parties not knowing which OS you're running, i think you have big problems.

Re: find out an OS from the remote machine using nmap

'chris' — Wed, 09 Jan 2008 00:46:46 GMT

my problem is why I should know that is:
I must programming some ftp and sftp scripts to transfer files to the remote server.
some of those partners server are outsourced.
sometimes is very difficult to find out the responsible administrator or they are to busy or due to the security reasons they don't want so quickly answer my questions.