Chapter 4: Operating System Fingerprinting

The operating system fingerprinting process is one of nmap's most powerful features. The fingerprinting process is impressive in its scope, and its capabilities are some of the most unique in the industry.

The OS fingerprinting process is not a port scan, although it works in conjunction with nmap's scanning processes. Nmap's operating system fingerprinting is based on a remote device's responses when it's sent a group of very specific packets. There will be subtle differences in the responses received from different operating systems under certain circumstances. If a particular operating system receives a TCP ACK frame to a closed port, it may react differently than other operating systems receiving the same frame. It's these minor response variations that allow nmap to build detailed "fingerprints" for different operating systems and devices.

Fyodor discusses the history and details of these packet types in his extensive paper describing the OS fingerprinting process. His research and experiences with these fingerprinting methods can be found at Fyodor discusses many different techniques for harvesting information from a remote device in this article, including methods that weren't included with nmap.

The OS fingerprinting process is not a version detection scan (-sV), although many methodologies between the two processes are similar. For example, both the version scan and the OS fingerprinting scan rely on the nmap scanning process to identify active devices and their available ports. However, The OS fingerprinting process uses techniques not found in version detection, such as a standard method of operating system probing and a modular operating system definition file.

Operating System Fingerprinting (-O) Operation Before the operating system fingerprinting process begins, nmap performs a normal ping and scan. During the nmap scan, nmap determines device availability and categorizes the ports on the remote device as open, closed, or filtered.

This list of port dispositions is important because the operating system fingerprinting process needs to query both open ports and closed ports to obtain accurate operating system fingerprints.

Once the open and closed ports are identified, nmap begins the OS fingerprinting procedure. The OS fingerprinting process consists of an operating system probe, followed by series of TCP handshakes that are used for testing responses to the TCP uptime measurement options, TCP sequence predictabilities, and IP identification sequence generation.

These simple tests are designed to gather extensive information about an operating system while using a minimum of network traffic.

It's extraordinary how much operating system information can be gathered from a device without authenticating or starting an application session. If a device is on the network with an IP address, some extremely simple and noninvasive tests will uncover amazing amounts of information!

A normal OS fingerprinting process will uncover the following information:
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP SP2
TCP Sequence Prediction: Class=truly random
                         Difficulty=9999999 (Good luck!)
IPID Sequence Generation: Incremental