Nmap’s OS Fingerprinting

Insecure.Org's Nmap fingerprinting tool identifies a base OS or service version number by its TCP/IP response’s unique characteristics. For example, an attacker might have a targeted exploit that works only on a machine running Windows NT 4.0 Service Pack 1 (SP1). The attacker could conduct port scanning and fingerprint huge ranges of IP addresses looking for (and collecting the addresses of) servers that fit this profile. Armed with a list of vulnerable machines, the attacker could return later to exploit these machines.

Using Nmap to fingerprint your network won’t address the vulnerabilities just described, but it will identify the level of information that an attacker can glean from your network. You can then take action based on this information, such as updating service packs, applying patches to limit the information provided, and standardizing on fewer variations of an OS (e.g., ensuring that all NT 4.0 installations are SP6a or that all Windows 2000 installations are SP2). Figure A shows sample Nmap output from Nmap fingerprinting a Win2K Server machine.

You use the Nmap command’s -O switch along with your TCP scanning option to enable fingerprinting. The database of OS signatures, nmap-os-fingerprints, comes with the Nmap download. Ask Nmap to rate the difficulty of predicting the remote system’s TCP sequencing function by adding the verbose switch, -v, to the fingerprinting option. This prediction rating indicates how difficult it would be for someone outside the system to forge TCP packets against the remote host. For detailed information about Nmap’s fingerprinting technologies, see Fyodor’s article "Remote OS detection via TCP/IP Stack Fingerprinting".