How can I detect the remote operating system?

  • Is it possible to detect the operating system type remotely from another system using any tools like nmap without admin privileges? What are the other alternatives for achieving this?

    More details please? You can use nmap to scan the target os and it will make a good guess.... php scripts can also do it using $_SESSION[HTTP_USER_AGENT] but they would have to visit the page.

    Here is a link that explains how nmap can perform OS detection and the appropriate command syntax.

    You might find the `p0f` utility useful for this sort of thing.

    No OS detection is performed when not using root user, no traceroute either. Yes you will be able to perform -A scan, but only with service discovery, just as you would with -sV flag.

    Do you have a reference or a source that backs up the claim that "No OS detection is performed when not using root user"? This is the whole point of the question.

  • Using nmap:

    sudo nmap -O <target>

    Or if they block your ping probes you can do:

    sudo nmap -O <target> -Pn

    Sometimes you still get fake results and you should try doing an aggressive scan (can be detected and blocked by the firewall).

    sudo nmap -A <target>

    OP asks explicitly for methods that work without admin privileges. I don't know why OP does, but this does not answer the question.

    If I use "sudo nmap -O " or "sudo nmap -A " it prompts for password. My intention to find the OS type without using admin privileges and any passwords.

    If I use "nmap -O -Pn" it says replies as "TCP/IP fingerprinting (for os scan) requires root privileges.

  • You could use use the -T4 option together with the -A. No sudo is required (Tested on Ubuntu).

    $ nmap -T4 -A

    Would return for instance:

     Nmap scan report for
     Host is up (0.00060s latency).
     Not shown: 996 closed ports
     22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
     | ssh-hostkey: 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (DSA)
     |_2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (RSA)
     80/tcp open http nginx 1.1.19
     |_http-title: 403 Forbidden
     |_http-methods: No Allow or Public header in OPTIONS response (status code 405)
     111/tcp open rpcbind
     | rpcinfo:
     | program version port/proto service
     | 100000 2,3,4 111/tcp rpcbind
     | 100000 2,3,4 111/udp rpcbind
     | 100003 2,3,4 2049/tcp nfs
     | 100003 2,3,4 2049/udp nfs
     | 100005 1,2,3 46448/tcp mountd
     | 100005 1,2,3 52408/udp mountd
     | 100021 1,3,4 35394/udp nlockmgr
     | 100021 1,3,4 57150/tcp nlockmgr
     | 100024 1 49363/tcp status
     | 100024 1 51515/udp status
     | 100227 2,3 2049/tcp nfs_acl
     |_ 100227 2,3 2049/udp nfs_acl
     2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
     Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

    The -A tells nmap to perform OS checking and version checking. The -T4 is for the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.

  • You could use the nmap smb-os-discovery.nse script it should for the most part give you the right answers. It doesn't work on some versions of windows 10 though.

    nmap --script smb-os-discovery.nse -p445

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM