This is the eighteenth post detailing my notes on Nmap Network Scanning.
Although the inner working of OS detection are complex, it’s very easy to use.and the results very comprehensive. Here is scan against the Windows portion of my hacking lab (-O -v).
~# nmap -O -v 192.168.1.79
Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-31 11:15 BST
Initiating ARP Ping Scan at 11:15
Scanning 192.168.1.79 [1 port]
Completed ARP Ping Scan at 11:15, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:15
Completed Parallel DNS resolution of 1 host. at 11:15, 0.04s elapsed
Initiating SYN Stealth Scan at 11:15
Scanning lab.home (192.168.1.79) [1000 ports]
Discovered open port 443/tcp on 192.168.1.79
Discovered open port 139/tcp on 192.168.1.79
Discovered open port 25/tcp on 192.168.1.79
Discovered open port 80/tcp on 192.168.1.79
Discovered open port 21/tcp on 192.168.1.79
Discovered open port 445/tcp on 192.168.1.79
Discovered open port 135/tcp on 192.168.1.79
Discovered open port 1025/tcp on 192.168.1.79
Discovered open port 912/tcp on 192.168.1.79
Discovered open port 1433/tcp on 192.168.1.79
Completed SYN Stealth Scan at 11:15, 3.31s elapsed (1000 total ports)
Initiating OS detection (try #1) against lab.home (192.168.1.79)
adjust_timeouts2: packet supposedly had rtt of -81314 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -81314 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -106580 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -106580 microseconds. Ignoring time.
Nmap scan report for lab.home (192.168.1.79)
Host is up (0.029s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1433/tcp open ms-sql-s
MAC Address: 00:0C:76:17:A4:17 (Micro-star International CO.)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
This scan can be enhanced with the -sV flag which in itself is a Version Detection flag. So, which one should we favour? The book states:
The best answer is usually both. In some cases, such as proxy firewall forwarding to an application on another host, the answers may legitimately differ. TCP/IP fingerprinting will identify the proxy while version scanning will generally detect the server running the proxied application. Even when no proxying or port forwarding is involved using both techniques is beneficial. If they come out the same, this makes the results more credible. If they come out wildly different, investigate further to determine what is going on before relying on either. Since OS and version detection go together so well, the -A option enables them both