The nmap utility is very useful for scanning remote systems to find open ports and services that are running that could be used to gain access to the computer. If the Operating System fingerprint is unknown to Nmap and you yourself know what it is, then the fingerprint may be submitted to the database to help improve the scanner.
This is a sample OS fingerprint for Android 8.0. Submitting this to the nmap database at https://nmap.org/submit/ will really help out the project.
1 2 3 4 5 6 7 8 9 10 | OS:SCAN(V=7.80%E=4%D=7/8%OT=5060%CT=1%CU=41762%PV=Y%DS=1%DC=D%G=Y%M=30074D% OS:TM=5F051662%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=I%II= OS:I%TS=8)OPS(O1=M550ST11NW7%O2=M550ST11NW7%O3=M550NNT11NW7%O4=M550ST11NW7% OS:O5=M550ST11NW7%O6=M550ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W OS:6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M550NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S= OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0 OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1 OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI OS:=N%T=40%CD=S) |
This is how easy it is to get an idea of what OS is running on a remote machine.
jason@jason-desktop:~/Videos$ sudo nmap -T4 192.168.1.3 -O Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-08 10:41 AEST Nmap scan report for 192.168.1.3 Host is up (0.0063s latency). Not shown: 998 closed ports PORT STATE SERVICE 5060/tcp open sip 5061/tcp open sip-tls MAC Address: 30:07:4D:CB:11:05 (Samsung Electro-mechanics(thailand)) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=7/8%OT=5060%CT=1%CU=41762%PV=Y%DS=1%DC=D%G=Y%M=30074D% OS:TM=5F051662%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=I%II= OS:I%TS=8)OPS(O1=M550ST11NW7%O2=M550ST11NW7%O3=M550NNT11NW7%O4=M550ST11NW7% OS:O5=M550ST11NW7%O6=M550ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W OS:6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M550NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S= OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0 OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1 OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI OS:=N%T=40%CD=S) Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.17 seconds |
This nmap example can also get useful information from a remote server.
jason@jason-desktop:~/Videos$ sudo nmap -A -T4 94.23.165.249 -P0 |
This is a sample of the output.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 | host is up (0.31s latency). Not shown: 982 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp Pure-FTPd 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b9:46:64:b1:33:9c:91:fd:f4:bd:6d:ee:64:53:85:b9 (DSA) | 2048 48:d5:58:3b:0e:98:0e:a5:69:43:1f:b3:94:19:9c:f4 (RSA) | 256 f8:67:4a:4e:5b:eb:ee:79:41:9e:36:06:73:7b:1d:a1 (ECDSA) |_ 256 38:1e:0a:2f:f4:24:84:7a:74:77:9c:65:6c:05:e4:13 (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: server1.rhotec.eu, PIPELINING, SIZE, VRFY, ETRN, STARTTLS, AUTH PLAIN LOGIN, AUTH=PLAIN LOGIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, |_ssl-date: TLS randomness does not represent time 53/tcp open domain ISC BIND 9.9.5-3ubuntu0.19 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.9.5-3ubuntu0.19-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Herzlich Willkommen! 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: USER CAPA SASL(PLAIN LOGIN) AUTH-RESP-CODE RESP-CODES PIPELINING UIDL TOP STLS |_ssl-date: TLS randomness does not represent time 143/tcp open imap Dovecot imapd (Ubuntu) |_imap-capabilities: AUTH=LOGINA0001 ID capabilities OK post-login ENABLE IMAP4rev1 have LITERAL+ LOGIN-REFERRALS more SASL-IR listed Pre-login IDLE STARTTLS AUTH=PLAIN |_ssl-date: TLS randomness does not represent time 443/tcp open ssl/http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=server1.#########.eu | Subject Alternative Name: DNS:mail.rhotec.de, DNS:master1.rhotec.eu, DNS:server1.rhotec.eu | Not valid before: 2020-05-18T09:00:31 |_Not valid after: 2020-08-16T09:00:31 |_ssl-date: TLS randomness does not represent time 465/tcp open ssl/smtps? |_smtp-commands: Couldn't establish connection on port 465 |_ssl-date: TLS randomness does not represent time 587/tcp open smtp Postfix smtpd |_smtp-commands: server1.#########.eu, PIPELINING, SIZE, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, |_ssl-date: TLS randomness does not represent time 990/tcp closed ftps 993/tcp open ssl/imaps? |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3s? |_ssl-date: TLS randomness does not represent time 3306/tcp open mysql MySQL 5.5.62-0ubuntu0.14.04.1-log | mysql-info: | Protocol: 10 | Version: 5.5.62-0ubuntu0.14.04.1-log | Thread ID: 5953153 | Capabilities flags: 63487 | Some Capabilities: LongColumnFlag, DontAllowDatabaseTableColumn, Support41Auth, InteractiveClient, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsCompression, FoundRows, Speaks41ProtocolOld, Speaks41ProtocolNew, IgnoreSigpipes, ODBCClient, LongPassword, ConnectWithDatabase, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins | Status: Autocommit | Salt: Z!3y.sz.sy'P@-b&5unL |_ Auth Plugin Name: mysql_native_password 8080/tcp open ssl/http Apache httpd 2.4.7 ((Ubuntu)) |_http-server-header: Apache/2.4.7 (Ubuntu) | http-title: 400 Bad Request |_Requested resource was /login/ | ssl-cert: Subject: commonName=server1.xxxxxx.eu | Subject Alternative Name: DNS:mail.xxxxxx.de, DNS:master1.xxxxxx.eu, DNS:server1.xxxxxx.eu | Not valid before: 2020-05-18T09:00:31 |_Not valid after: 2020-08-16T09:00:31 |_ssl-date: TLS randomness does not represent time 8081/tcp open http Apache httpd 2.4.7 |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Index of / 10000/tcp closed snet-sensor-mgmt Aggressive OS guesses: Linux 3.2 - 3.8 (94%), Linux 3.2 (92%), Linux 2.6.32 - 3.13 (92%), Linux 2.6.32 - 3.1 (91%), OpenWrt 12.09-rc1 Attitude Adjustment (Linux 3.3 - 3.7) (91%), Linux 3.2 - 3.10 (91%), Linux 3.2 - 3.16 (91%), Olivetti 65C-9 printer (91%), Linux 3.5 (90%), Linux 2.6.32 - 2.6.39 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 15 hops Service Info: Host: server1.#########.eu; OS: Linux; CPE: cpe:/o:linux:linux_kernel |
I can see that it is running the Apache2 web server, and there are numerous services running. As well as a lot of information about each running service. This could be used to gain access if a certain service had not been updated and had an unpatched vulnerability.