Network Scanning
OS Detection
Knowing that some box on the network runs a web server is only half of the battle. You also want some details, such as whether it is an Apache HTTPD or Nginx, as well as which version. The same stands for the underlying OS.
Why should you be interested in things like this? There are several reasons. Consider a penetration testing scenario. You are trying to break into a system (with the owner's permission, of course) to see how difficult it is and how much time it takes. Knowing which software runs on the server is necessary to look up a vulnerability database for well-known exploits. And, you could be tuning a system to misrepresent itself to an external attacker. In this case, you could run Nmap against it to test if your measures have yielded the desired effect.
There are also two ways to enable these features in Nmap. First, there is one big lever to turn on advanced and aggressive Nmap options (-A
). The word "aggressive" doesn't refer to the aggressive timing template we've discussed along with -T
switch. It stands for OS detection, version scanning, script scanning, and traceroute
. If you don't want all of this, you can turn on individual features with -O
(OS detection), -sV
(version scanning), and other similar options [3].
Let us follow the second route. Take one of the hosts running a common service you've discovered in the preceding examples. You can just scan the whole subnet again as well, and even do it aggressively with -A
, but it would take somewhat longer.
sudo nmap -O -sV 192.168.1.35
Nmap also tries to guess the host's uptime. The man page [3] explains it can't be done reliably, so this piece of data is only printed in verbose mode. To enable this mode, you supply Nmap the -v
command-line option.
For Nmap to detect an OS, the target must have at least one open and one closed port; if that is not the case, the tool would complain. Nmap also reports the device type (so you can tell a PC apart from a smartphone) and a freeform OS description. Most importantly, it tells you a Common Platform Enumeration (CPE) for the OS or service detected. CPE serves as a standardized structured naming convention [4]. Have a look at this:
cpe:/o:google:android:2.2
Here, /o
says that the item refers to an OS. google
is the vendor's name, android
is a product, and 2.2
is the version.
If your target has both open and closed ports, but Nmap can't detect the OS reliably, you'll be given a URL to submit the OS details (Figure 6). This is also an option if the OS is misidentified. Of course, you should only do this if you know which OS really runs on the host in question. This way, you help to make Nmap better for the whole world (Figure 7).
OS fingerprinting is a complex topic, but if you want to know what happens under the hood, Nmap Network Scanning provides a complete chapter on OS detection [5]. The book is the official guide to Nmap, and about half of its contents is freely available on Nmap's website. It's a worthwhile read even if you aren't interested in OS detection.
Scripting Nmap
Now, let's briefly cover one of the most powerful Nmap features: Scripting. Notwithstanding the versatility of Nmap, there is always room for extension. You may want to check for a specific vulnerability or for custom software not widely available and thus not in the Nmap database.
The Nmap Scripting Engine (NSE) provides a way to do this. It facilitates automation of Nmap operation with scripts written in Lua. You can write your own scripts, use scripts written by others, or try any of the few hundred scripts that Nmap itself comes with.
All these scripts fall into several categories [6]. There are "safe" scripts, which shouldn't crash remote services or otherwise interfere with remote systems. There are also "intrusive" scripts, which you shouldn't run against services you do not want to lose.
Unless a script does version detection only (which makes it fall into the "version" category), it is either safe or intrusive. Scripts looking for a specific vulnerability or exploiting it go into "vuln" or "exploit," respectively.
There is also a special "default" category. It includes scripts that run reasonably fast, are not too intrusive, and provide some value to a general audience. These scripts run when you request Nmap to do a script scan with -sC
, which is equivalent to --script=default
, or with -A
as we saw previously:
$ sudo nmap -sC 192.168.0.35
Default scripts don't spit out tons of information. The command above should yield a result similar to the one shown in Figure 8. Of course, Nmap doesn't run every default script against every host. Typically, scripts are host- or port-bound. For instance, an http-title
script that displays the main web page title runs only if port 80/TCP is open. Figure 8 also shows some SMB-related scripts (including one doing custom OS detection) that run only against SMB-enabled hosts.
The --script
switch is actually rather flexible. It accepts a script's name (with or without the .nse
extension), a directory from which to run .nse
scripts, a category (such as default
above), or an expression. Say, --script "http-*"
runs all scripts whose names begin with "http-"
. --script "http-* and not intrusive"
does the same but omits intrusive ones. It is also possible to send scripts their own arguments with --script-args
. You can find more details at [3]. As a teaser, that's how you can brute force a MySQL server:
$ sudo nmap --script=mysql-brute -v $server_ip
If the above command yields something under "Valid credentials," you have some bad news for the $server_ip
administrator.
Nmap is a network security tool, and security is a vast and complex topic. A false sense of security is sometimes worse than no security at all, and the worst thing you can do is to assume you are a security expert when you are actually not. This short introduction to Nmap isn't meant to be a substitute for a proper network security class, nor was it designed to help you break into your neighbors' computer systems. This being said, it is always good to know what's happening in your network, and Nmap is another worthwhile piece of the puzzle here.
Infos
- Nmap homepage: https://nmap.org
- Zenmap homepage: https://nmap.org/zenmap/
- Nmap man page: https://nmap.org/book/man.html
- Official CPE Dictionary: https://nvd.nist.gov/products/cpe
- Lyon, Gordon "Fyodor." Nmap Network Scanning, Nmap Project, 2009. Chapter 8, Remote OS Detection: https://nmap.org/book/osdetect.html
- Lyon, Gordon "Fyodor." Nmap Network Scanning, Nmap Project, 2009. Chapter 9, Nmap Scripting Engine: https://nmap.org/book/nse-usage.html#nse-categories
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.