Nmap uses TCP/IP stack fingerprinting for OS detection.This is done by crafting custom TCP and UDP packets and analyzing their responses. After generating various such probes and comparing the results to the Nmap-os-db database of more than 2,600 known OS fingerprints and provides the OS version. The fingerprint provides details such as the vendor name, OS name, OS generation, device type, and also their Common Platform Enumeration (CPE) representation. Nmap also provides an option for the user to submit the fingerprint obtained if it is not present in the Nmap database of operating signatures:
- -O (Enable OS detection): This enables OS detection for an Nmap scan. This flag further has options that can be used in conjunction with it.
- --osscan-limit: This option will reduce the scan time when a list of hosts is being scanned by skipping the hosts with no ports open for OS detection, thereby providing faster results for live hosts.
- --osscan-guess; --fuzzy: If Nmap is not able to identify the OS, it tries to provide the closest signature, and the similarities between the signatures should be very high. The flags listed here will allow Nmap to guess more aggressively whether the exact OS has been found.
- --max-os-tries: Nmap by default retries five times if the operating system probe is not able to identify a perfect match. This will allow the users to limit these tries and thus save a lot of scan time.