LINUXMAKER, OpenSource, Tutorials

OS and service identification with Nmap

The OS Identification and Service Identification should find out which operating system is in use and which software is used for the services offered. Because you are generally looking for applications and operating systems that have known vulnerabilities.

Although Nmap is mainly a port scanner, it is very well suited for OS and service identification. Nmap contains a huge database with heuristics for the identification of operating systems and applications.
Sometimes Nmap's service scans reveal information about the destination that goes beyond the service and operating system. Some operating systems only run on certain hardware, which is why it is very easy to deduce the device type.

The version detection of Nmap establishes connections to many different services, which often leave entries in log files and can therefore be detected by intrusion detection systems.
Operating system recognition also uses test packages and package sequences that are easily recognized by an IDS.
In order to remain undetected, Nmap's service and operating system detection should be avoided. These functions are useful for a general network scan or pentest, but are not absolutely necessary for a successful attack. If it cannot be avoided, then you determine a single target system and then restrict the scan to a few ports.

OS-Scan (OS-Detection)

nmap -O

This command tries to identify the special characteristics of the implementation of the operating system on the target system. A port scan is also carried out here.
The output contains a list of open ports, the suspected operating system and its version, if possible the device type. The OS scan on a target system can take a long time.

Service-Scan / Versions-Scan

nmap -sV

The service scan is basically a port scan that uses additional tests to identify the applications behind the open ports. The scan uses various application protocols on the ports that are considered "open" or "open | filtered". The effect of this is that the scan can take a long time.
With the service scan you can find out which software works behind which port. This only works with a TCP full connect scan. A complete TCP connection is established in order to then address the software with various application protocols.
The service scan can take a long time. This depends, among other things, on the number of open ports.


nmap -sR

The RPC scan is a port scan that also sends RPC packets when Nmap detects an RPC service on a port. So you may get more information about the running services.
The RPC scan is already included in the service scan. This means that the RPC scan is only used if you want to scan even RPC services.

OS und Service Scan

The OS and service scan can also be combined:

nmap -O -sV

Nmap has a short form for this:

nmap -A

With the "-A" option, Nmap is very aggressive when it comes to OS and service identification. The edition is very detailed and contains a trace route in addition to the result of the OS and service identification.