Recently I was doing some discovery at work of some systems we inherited. I didn’t yet have access but wanted to determine what type of OS was involved so I could coordinate with the proper teams.
You can often guess just by determining what ports are open, but the most efficient tool is the venerable nmap utility. Using the -O (OS detection) and -sV (check ports to determine service/version info) flags, you get a complete report.
Under the covers, nmap is running through a set of heuristics to determine what OS is most likely, based on what ports are open and unique “fingerprinting” of the device’s IP stack. nmap maintains a database of over 2,000 IP fingerprints. Different operating systems will set different values for things like initial TTL, max segment size, window scaling value, etc. and by analyzing packets, nmap can make an educated guess of what kind of OS is running.
It’s not 100% and nmap lacks the ability to say “this is definitely Windows Server 2012 with Service Pack 2 applied” or “this is definitely Debian 9 and not Debian 10” because operating systems in the same family often us the same IP stack. But it is often an excellent start towards identification.
For example, here is output of a Windows Server which is also running MySQL (all examples in this article have been slightly reformatted in terms of line breaks to fit the site’s theme):
# nmap -O -sV x.x.x.x Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-17 11:02 PDT Nmap scan report for x.x.x.x Host is up (0.22s latency). Not shown: 994 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 2701/tcp open cmrcservice Microsoft Configuration Manager Remote Control service (CmRcService.exe) 3306/tcp open mysql MySQL 5.1.60-community-log 3389/tcp open ms-wbt-server Microsoft Terminal Services Aggressive OS guesses: Microsoft Windows Server 2016 (93%), Microsoft Windows Server 2008 R2 SP1 (92%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 10 1607 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8 (87%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (87%), Microsoft Windows 7 SP1 (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 18 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 33.77 seconds
Here’s what a Debian 9 server I scanned looks like:
# time nmap -O -sV x.x.x.x Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-17 14:52 PDT Nmap scan report for x.x.x.x Host is up (0.0018s latency). Not shown: 992 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http nginx 1.10.3 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: EXAMPLE) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: EXAMPLe) 587/tcp open smtp Postfix smtpd 3306/tcp open mysql MySQL 5.5.5-10.1.48-MariaDB-0+deb9u2 MAC Address: MM:MM:MM:MM:MM:MM (Asustek Computer) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Hosts: example.example.com; OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds
And it’s really just that simple. Next time you have a system on your network but are not sure what it is, try nmap’s OS detection tool to get a pretty good guess.