Identify the OS on a remote host with nmap scan27.08.2112.02.24

```console
nmap -O -sV 10.1.1.13
```

How to determine OS of the remote host
28 January 2022 by Luke Reynolds

When performing digital reconnaissance or penetrating testing, it’s important to fingerprint a network by understanding what operating system is used on a remote a host.

Nmap is a great tool for this job. Although normally associated with the cybersecurity field and penetration testing, Nmap can also be used for benevolent purposes, such as a system administrator taking an inventory of what operating systems all the systems on his network are running.

Using nmap for this kind of job does not mean that you can identify remote OS with 100% accuracy, but nmap certainly equips you with a solid educated guess. In this tutorial, you will learn how to determine the operating system of a remote host by using Nmap on a Linux system.

In this tutorial you will learn:

How to install Nmap on major Linux distros
    How to use Nmap to do a simple scan
    How to use Nmap to determine OS of remote host

How to determine OS of the remote host
How to determine OS of the remote host
Software Requirements and Linux Command Line Conventions Category 	Requirements, Conventions or Software Version Used
System 	Any Linux system
Software 	Nmap
Other 	Privileged access to your Linux system as root or via the sudo command.
Conventions 	# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user
How to install Nmap on major Linux distros

The tool we will be using to scan a remote host is Nmap. You can use the appropriate command below to install Nmap with your system’s package manager.

To install Nmap on Ubuntu, Debian, and Linux Mint:

$ sudo apt install nmap

To install Nmap on Fedora, CentOS, AlmaLinux, and Red Hat:

$ sudo dnf install nmap

To install Nmap on Arch Linux and Manjaro:

$ sudo pacman -S nmap

Perform a simple network scan with Nmap

When trying to determine OS of the remote host using nmap, nmap will base its guess on various aspects such as open and closed ports of default OS installation, operating system fingerprints already submitted to nmap database by other users, MAC address etc.

If you do not know what IP addresses are active on your LAN, you can, first, try to scan the entire subnet. For example, here I will scan my local subnet 10.1.1.*:

$ sudo nmap -sP 10.1.1.*

Sample output:

Nmap scan report for 10.1.1.1
Host is up (0.0026s latency).
MAC Address: C4:7D:4F:6F:3E:D2 (Cisco Systems)
Nmap scan report for 10.1.1.11
Host is up.
Nmap scan report for 10.1.1.13
Host is up (0.0020s latency).
MAC Address: 00:13:02:30:FF:EC (Intel Corporate)
Nmap scan report for 10.1.1.14
Host is up (0.0022s latency).
MAC Address: A8:26:D9:ED:29:8E (HTC)
Nmap scan report for 10.1.1.250
Host is up (0.0041s latency).
MAC Address: 00:23:EB:71:E0:F6 (Cisco Systems)
Nmap done: 256 IP addresses (5 hosts up) scanned in 35.37 seconds

From the output above, we can see all currently active IP addresses and we already can see some hints on what any particular host may be used for.
Identify OS on remote host

For nmap to even make a guess, nmap needs to find at least 1 open and 1 closed port on a remote host. Using the previous scan results, let us find out more about the host 10.1.1.13:

$ sudo nmap -O -sV 10.1.1.13

Sample output:

Nmap scan report for 10.1.1.13
Host is up (0.0073s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE              VERSION
22/tcp   open  ssh                  OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
53/tcp   open  domain               ISC BIND 9.7.3
80/tcp   open  http                 Apache httpd 2.2.16 ((Debian))
111/tcp  open  rpcbind (rpcbind V2) 2 (rpc #100000)
3389/tcp open  ms-wbt-server        xrdp
MAC Address: 00:13:02:30:FF:EC (Intel Corporate)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.32 - 2.6.35
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.57 seconds

From the output above, we can determine that this particular host is running some version of the Linux operating system. Based on the ssh version, it is most likely Debian 6 ( Squeeze ) with kernel version 2.6 and most likely the kernel version is somewhere between 2.6.32 – 2.6.35.

Even in cases where the operating system cannot be reliably determined, open ports are often the most revealing thing about a host system. Take the screenshot below as an example, where it’s easy to see that the host system is running Ubuntu, despite Nmap reporting that it is not sure what the OS could be.

https://linuxconfig.org/how-to-determine-os-of-the-remote-host

Anonymous

Identify the OS on a remote host with nmap scan27.08.2112.02.24

Information Epoch 1741981641