Posted: . At: 11:38 AM. This was 4 years ago. Post ID: 14476
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.



Sponsored



Getting an operating system fingerprint is very easy with nmap.

by

The nmap utility is very useful for scanning remote systems to find open ports and services that are running that could be used to gain access to the computer. If the Operating System fingerprint is unknown to Nmap and you yourself know what it is, then the fingerprint may be submitted to the database to help improve the scanner.

This is a sample OS fingerprint for Android 8.0. Submitting this to the nmap database at https://nmap.org/submit/ will really help out the project.

1
2
3
4
5
6
7
8
9
10

OS:SCAN(V=7.80%E=4%D=7/8%OT=5060%CT=1%CU=41762%PV=Y%DS=1%DC=D%G=Y%M=30074D%
OS:TM=5F051662%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=I%II=
OS:I%TS=8)OPS(O1=M550ST11NW7%O2=M550ST11NW7%O3=M550NNT11NW7%O4=M550ST11NW7%
OS:O5=M550ST11NW7%O6=M550ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W
OS:6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M550NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=S)

This is how easy it is to get an idea of what OS is running on a remote machine.

jason@jason-desktop:~/Videos$ sudo nmap -T4 192.168.1.3 -O
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-08 10:41 AEST
Nmap scan report for 192.168.1.3
Host is up (0.0063s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
5060/tcp open  sip
5061/tcp open  sip-tls
MAC Address: 30:07:4D:CB:11:05 (Samsung Electro-mechanics(thailand))
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/8%OT=5060%CT=1%CU=41762%PV=Y%DS=1%DC=D%G=Y%M=30074D%
OS:TM=5F051662%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=I%II=
OS:I%TS=8)OPS(O1=M550ST11NW7%O2=M550ST11NW7%O3=M550NNT11NW7%O4=M550ST11NW7%
OS:O5=M550ST11NW7%O6=M550ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W
OS:6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M550NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=S)
 
Network Distance: 1 hop
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds

This nmap example can also get useful information from a remote server.

jason@jason-desktop:~/Videos$ sudo nmap -A -T4 94.23.165.249 -P0

This is a sample of the output.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

host is up (0.31s latency).
Not shown: 982 filtered ports
PORT      STATE  SERVICE          VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp              Pure-FTPd
22/tcp    open   ssh              OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 b9:46:64:b1:33:9c:91:fd:f4:bd:6d:ee:64:53:85:b9 (DSA)
|   2048 48:d5:58:3b:0e:98:0e:a5:69:43:1f:b3:94:19:9c:f4 (RSA)
|   256 f8:67:4a:4e:5b:eb:ee:79:41:9e:36:06:73:7b:1d:a1 (ECDSA)
|_  256 38:1e:0a:2f:f4:24:84:7a:74:77:9c:65:6c:05:e4:13 (ED25519)
25/tcp    open   smtp             Postfix smtpd
|_smtp-commands: server1.rhotec.eu, PIPELINING, SIZE, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: TLS randomness does not represent time
53/tcp    open   domain           ISC BIND 9.9.5-3ubuntu0.19 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.9.5-3ubuntu0.19-Ubuntu
80/tcp    open   http             Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Herzlich Willkommen!
110/tcp   open   pop3             Dovecot pop3d
|_pop3-capabilities: USER CAPA SASL(PLAIN LOGIN) AUTH-RESP-CODE RESP-CODES PIPELINING UIDL TOP STLS
|_ssl-date: TLS randomness does not represent time
143/tcp   open   imap             Dovecot imapd (Ubuntu)
|_imap-capabilities: AUTH=LOGINA0001 ID capabilities OK post-login ENABLE IMAP4rev1 have LITERAL+ LOGIN-REFERRALS more SASL-IR listed Pre-login IDLE STARTTLS AUTH=PLAIN
|_ssl-date: TLS randomness does not represent time
443/tcp   open   ssl/http         Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=server1.#########.eu
| Subject Alternative Name: DNS:mail.rhotec.de, DNS:master1.rhotec.eu, DNS:server1.rhotec.eu
| Not valid before: 2020-05-18T09:00:31
|_Not valid after:  2020-08-16T09:00:31
|_ssl-date: TLS randomness does not represent time
465/tcp   open   ssl/smtps?
|_smtp-commands: Couldn't establish connection on port 465
|_ssl-date: TLS randomness does not represent time
587/tcp   open   smtp             Postfix smtpd
|_smtp-commands: server1.#########.eu, PIPELINING, SIZE, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: TLS randomness does not represent time
990/tcp   closed ftps
993/tcp   open   ssl/imaps?
|_ssl-date: TLS randomness does not represent time
995/tcp   open   ssl/pop3s?
|_ssl-date: TLS randomness does not represent time
3306/tcp  open   mysql            MySQL 5.5.62-0ubuntu0.14.04.1-log
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.62-0ubuntu0.14.04.1-log
|   Thread ID: 5953153
|   Capabilities flags: 63487
|   Some Capabilities: LongColumnFlag, DontAllowDatabaseTableColumn, Support41Auth, InteractiveClient, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsCompression, FoundRows, Speaks41ProtocolOld, Speaks41ProtocolNew, IgnoreSigpipes, ODBCClient, LongPassword, ConnectWithDatabase, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: Z!3y.sz.sy'P@-b&5unL
|_  Auth Plugin Name: mysql_native_password
8080/tcp  open   ssl/http         Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-title: 400 Bad Request
|_Requested resource was /login/
| ssl-cert: Subject: commonName=server1.xxxxxx.eu
| Subject Alternative Name: DNS:mail.xxxxxx.de, DNS:master1.xxxxxx.eu, DNS:server1.xxxxxx.eu
| Not valid before: 2020-05-18T09:00:31
|_Not valid after:  2020-08-16T09:00:31
|_ssl-date: TLS randomness does not represent time
8081/tcp  open   http             Apache httpd 2.4.7
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Index of /
10000/tcp closed snet-sensor-mgmt
Aggressive OS guesses: Linux 3.2 - 3.8 (94%), Linux 3.2 (92%), Linux 2.6.32 - 3.13 (92%), Linux 2.6.32 - 3.1 (91%), OpenWrt 12.09-rc1 Attitude Adjustment (Linux 3.3 - 3.7) (91%), Linux 3.2 - 3.10 (91%), Linux 3.2 - 3.16 (91%), Olivetti 65C-9 printer (91%), Linux 3.5 (90%), Linux 2.6.32 - 2.6.39 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops
Service Info: Host:  server1.#########.eu; OS: Linux; CPE: cpe:/o:linux:linux_kernel

I can see that it is running the Apache2 web server, and there are numerous services running. As well as a lot of information about each running service. This could be used to gain access if a certain service had not been updated and had an unpatched vulnerability.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.