Detecting Operating Systems

A really nice feature of Nmap is the ability to remotely detect OS versions. This is particularly useful for network asset inventory and OS patch management. For example, you may use Nmap OS detection to identify outdated or unauthorized systems on your networks. Nmap performs OS detection by probing the target host and analyzing the responses. Probes include TCP and UDP packets that examine OS specifics such as initial sequence numbers (ISN), TCP options, IP identifier (ID) numbers, timestamps, explicit congestion notification (ECN), and window sizes. Each OS has distinctive responses to the probes, which identify the OS and result in an OS fingerprint. The probes and response matches are located in the nmap-os-db file. Nmap will attempt to identify the following parameters:

• Vendor Name The vendor of the OS such as Microsoft or Sun.

• Operating System The underlying OS such as Windows, Mac OS X, Solaris.

• OS Generation The version of the OS such as Vista, XP, 2003, 10.5, or 10.

• Device Type The type of device such as general purpose, print server, media, router, WAP, or power device.