One powerful feature that separates Nmap from the other scanners discussed here is the ability to determine the operating system (OS) of the target host while performing a scan. When this feature is selected, Nmap sends a few dozen specially crafted packets to open and closed ports (if they were found during the initial scan) and carefully analyzes the responses. By comparing the results with a database of hundreds of different operating systems, Nmap is often able to determine the target system, or at least provide a reasonable guess. If the target supports TCP timestamps, Nmap is often able to determine the uptime of the host. This can be useful to differentiate between desktop machines and servers, or to see how out of date the OS kernel might be. A host with an uptime of many months or years has likely missed a number of important operating system security updates and may be ripe for further attention.
In order to accurately determine the target operating system, Nmap typically needs at least one open and one closed port on the target. Sometimes Nmap can find a match just using one or the other, but having both is always preferable.
To enable OS detection, add the -O flag to the scan command line. The following flags can be used in conjunction with OS detection to augment the results:
-vThis flag increases Nmap's verbosity. When used with -O, Nmap performs a TCP Initial Sequence Number (ISN) and IP ID analysis. These metrics can be used to determine how susceptible the target is to various forms of traffic spoofing. Targets that are reported as having incremental IP ID sequence generation are good candidates for idle scans (see Avoiding Detection).
osscan-limitThis flag instructs Nmap to perform OS detection only on hosts with at least one open and one closed port, leading to more accurate results.
fuzzy or —osscan-guessThis flag instructs Nmap to make guesses about potential target operating systems when an exact match cannot be found.
Depending on the OS being scanned and the state of ports found, the results of the OS detection can vary from very accurate, to broad, to no matches at all. Here are some results of an OS scan performed on my subnet using the following command:
sudo nmap -n -O 10.150.9.1-254OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.7 - 2.6.11
OS details: Microsoft Windows XP SP2
OS details: Linux 2.4.0 - 2.5.20, Uptime 23.032 days (since Tue May 23 13:44:25 2006)
OS details: Netscreen 5XP firewall+vpn (os 4.0.3r2.0)
Too many fingerprints match this host to give specific OS details
As you can see, the results vary in their precision, and sometimes no exact match can be obtained. However, the results are usually close enough to narrow the possibilities down significantly.
Beware overly specific OS versions, especially on more obscure operating systems. The device previously listed as a NetScreen 5XP running 4.0.3r2.0 is in fact a NetScreen 5XT running 5.0.0r7.0. Nmap's OS database comes primarily from user submissions, and sometimes the OS provided is more specific than the fingerprint warrants.