Network Scanning

OS Detection

Knowing that some box on the network runs a web server is only half of the battle. You also want some details, such as whether it is an Apache HTTPD or Nginx, as well as which version. The same stands for the underlying OS.

Why should you be interested in things like this? There are several reasons. Consider a penetration testing scenario. You are trying to break into a system (with the owner's permission, of course) to see how difficult it is and how much time it takes. Knowing which software runs on the server is necessary to look up a vulnerability database for well-known exploits. And, you could be tuning a system to misrepresent itself to an external attacker. In this case, you could run Nmap against it to test if your measures have yielded the desired effect.

There are also two ways to enable these features in Nmap. First, there is one big lever to turn on advanced and aggressive Nmap options (-A). The word "aggressive" doesn't refer to the aggressive timing template we've discussed along with -T switch. It stands for OS detection, version scanning, script scanning, and traceroute. If you don't want all of this, you can turn on individual features with -O (OS detection), -sV (version scanning), and other similar options [3].

Let us follow the second route. Take one of the hosts running a common service you've discovered in the preceding examples. You can just scan the whole subnet again as well, and even do it aggressively with -A, but it would take somewhat longer.

sudo nmap -O -sV 192.168.1.35

Nmap also tries to guess the host's uptime. The man page [3] explains it can't be done reliably, so this piece of data is only printed in verbose mode. To enable this mode, you supply Nmap the -v command-line option.

For Nmap to detect an OS, the target must have at least one open and one closed port; if that is not the case, the tool would complain. Nmap also reports the device type (so you can tell a PC apart from a smartphone) and a freeform OS description. Most importantly, it tells you a Common Platform Enumeration (CPE) for the OS or service detected. CPE serves as a standardized structured naming convention [4]. Have a look at this:

cpe:/o:google:android:2.2

Here, /o says that the item refers to an OS. google is the vendor's name, android is a product, and 2.2 is the version.

If your target has both open and closed ports, but Nmap can't detect the OS reliably, you'll be given a URL to submit the OS details (Figure 6). This is also an option if the OS is misidentified. Of course, you should only do this if you know which OS really runs on the host in question. This way, you help to make Nmap better for the whole world (Figure 7).

Figure 6: I always thought my home router ran Linux, but Nmap fails to support it. However, note it detected a Boa HTTPD.
Figure 7: If I knew for sure which Linux runs on my home router box, I'd submit the details here.

OS fingerprinting is a complex topic, but if you want to know what happens under the hood, Nmap Network Scanning provides a complete chapter on OS detection [5]. The book is the official guide to Nmap, and about half of its contents is freely available on Nmap's website. It's a worthwhile read even if you aren't interested in OS detection.

Scripting Nmap

Now, let's briefly cover one of the most powerful Nmap features: Scripting. Notwithstanding the versatility of Nmap, there is always room for extension. You may want to check for a specific vulnerability or for custom software not widely available and thus not in the Nmap database.

The Nmap Scripting Engine (NSE) provides a way to do this. It facilitates automation of Nmap operation with scripts written in Lua. You can write your own scripts, use scripts written by others, or try any of the few hundred scripts that Nmap itself comes with.

All these scripts fall into several categories [6]. There are "safe" scripts, which shouldn't crash remote services or otherwise interfere with remote systems. There are also "intrusive" scripts, which you shouldn't run against services you do not want to lose.

Unless a script does version detection only (which makes it fall into the "version" category), it is either safe or intrusive. Scripts looking for a specific vulnerability or exploiting it go into "vuln" or "exploit," respectively.

There is also a special "default" category. It includes scripts that run reasonably fast, are not too intrusive, and provide some value to a general audience. These scripts run when you request Nmap to do a script scan with -sC, which is equivalent to --script=default, or with -A as we saw previously:

$ sudo nmap -sC 192.168.0.35

Default scripts don't spit out tons of information. The command above should yield a result similar to the one shown in Figure 8. Of course, Nmap doesn't run every default script against every host. Typically, scripts are host- or port-bound. For instance, an http-title script that displays the main web page title runs only if port 80/TCP is open. Figure 8 also shows some SMB-related scripts (including one doing custom OS detection) that run only against SMB-enabled hosts.

Figure 8: Nmap running a whole arsenal of default scripts against a reasonably secured Windows 10 machine.

The --script switch is actually rather flexible. It accepts a script's name (with or without the .nse extension), a directory from which to run .nse scripts, a category (such as default above), or an expression. Say, --script "http-*" runs all scripts whose names begin with "http-". --script "http-* and not intrusive" does the same but omits intrusive ones. It is also possible to send scripts their own arguments with --script-args. You can find more details at [3]. As a teaser, that's how you can brute force a MySQL server:

$ sudo nmap --script=mysql-brute -v $server_ip

If the above command yields something under "Valid credentials," you have some bad news for the $server_ip administrator.

Nmap is a network security tool, and security is a vast and complex topic. A false sense of security is sometimes worse than no security at all, and the worst thing you can do is to assume you are a security expert when you are actually not. This short introduction to Nmap isn't meant to be a substitute for a proper network security class, nor was it designed to help you break into your neighbors' computer systems. This being said, it is always good to know what's happening in your network, and Nmap is another worthwhile piece of the puzzle here.

Infos

  1. Nmap homepage: https://nmap.org
  2. Zenmap homepage: https://nmap.org/zenmap/
  3. Nmap man page: https://nmap.org/book/man.html
  4. Official CPE Dictionary: https://nvd.nist.gov/products/cpe
  5. Lyon, Gordon "Fyodor." Nmap Network Scanning, Nmap Project, 2009. Chapter 8, Remote OS Detection: https://nmap.org/book/osdetect.html
  6. Lyon, Gordon "Fyodor." Nmap Network Scanning, Nmap Project, 2009. Chapter 9, Nmap Scripting Engine: https://nmap.org/book/nse-usage.html#nse-categories

The Author

Valentine Sinitsyn works in a cloud infrastructure team and teaches students completely unrelated subjects. He also has a KDE Developer account he's never really used.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Nmap Workshop

    In "The Matrix Reloaded," Trinity uses Nmap to hack into the power grid to pave Neo's way to the architect of the virtual world. However, the port scanner is also ideal for more mundane purposes – such as discovering vulnerabilities in your domestic network.

  • Nmap Methods

    How does the popular Nmap scanner identify holes in network security? In this article, we examine some Nmap analysis techniques.

  • Nmap 4.75 recognizes iPhones and visualizes networks

    "If we are going to call Nmap the 'Network Mapper', it should at least be able to draw you a map of the network! " writes developer Fyodor in announcing the newest version 4.75 of the Nmap security scanner.

  • Nmap Scripting

    Nmap is rolling out a new scripting engine to automatically investigate vulnerabilities that turn up in a security scan. We’ll show you how to protect your network with Nmap and NSE.

  • Scanning with Zenmap

    Discover your network with the user-friendly Zenmap network scanner.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News