The Operating System Fingerprinting Process

clock
The operating system fingerprinting process takes place in a different order than what's shown in the structure of the fingerprint!


The operating system fingerprinting probes begin with Test 1 through Test 7, followed immediately by the UDP-based ICMP port unreachable test. The responses to these probes are compared to the T1-T7 fingerprints in the hopes of locating some likely matches.



T1-T7
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56414 SYN SEQ=3375903318 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56415     WIN=2048
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56416 SYN FIN URG SEQ=3375903318 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56417     ACK=0 WIN=4096
[192.168.0.7] [192.168.0.3] TCP: D=1 S=56418 SYN SEQ=3375903318 LEN=0 WIN=2048
[192.168.0.7] [192.168.0.3] TCP: D=1 S=56419     ACK=0 WIN=4096
[192.168.0.7] [192.168.0.3] TCP: D=1 S=56420 FIN URG SEQ=3375903318 LEN=0 WIN=4096
[192.168.0.3] [192.168.0.7] TCP: D=56414 S=135 SYN ACK=3375903319 SEQ=1982576985 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56414 RST WIN<<10=0
[192.168.0.3] [192.168.0.7] TCP: D=56415 S=135 RST ACK=3375903318 WIN=0
[192.168.0.7] [192.168.0.3] UDP: D=1 S=56407  LEN=308
[192.168.0.3] [192.168.0.7] TCP: D=56416 S=135 SYN ACK=3375903319 SEQ=3856135382 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56416 RST WIN<<10=0
[192.168.0.3] [192.168.0.7] TCP: D=56417 S=135 RST WIN=0
[192.168.0.3] [192.168.0.7] TCP: D=56418 S=1 RST ACK=3375903319 WIN=0
[192.168.0.3] [192.168.0.7] TCP: D=56419 S=1 RST WIN=0
[192.168.0.3] [192.168.0.7] TCP: D=56420 S=1 RST ACK=3375903319 WIN=0
[192.168.0.3] [192.168.0.7] ICMP: Destination unreachable (Port unreachable)

Nmap then performs six TCP SYN scans to the open port. The resulting SYN/ACK responses are used to compare TCP initial sequence numbers, IP identification values, and TCP timestamp option sequences.

OS_SYN
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56408 SYN SEQ=3375903319 LEN=0 WIN=3072
[192.168.0.3] [192.168.0.7] TCP: D=56408 S=135 SYN ACK=3375903320 SEQ=1634073962 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56408 RST WIN<<10=0
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56409 SYN SEQ=3375903320 LEN=0 WIN=1024
[192.168.0.3] [192.168.0.7] TCP: D=56409 S=135 SYN ACK=3375903321 SEQ=1378387651 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56409 RST WIN<<10=0
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56410 SYN SEQ=3375903321 LEN=0 WIN=2048
[192.168.0.3] [192.168.0.7] TCP: D=56410 S=135 SYN ACK=3375903322 SEQ=2771984018 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56410 RST WIN<<10=0
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56411 SYN SEQ=3375903322 LEN=0 WIN=2048
[192.168.0.3] [192.168.0.7] TCP: D=56411 S=135 SYN ACK=3375903323 SEQ=1187915667 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56411 RST WIN<<10=0
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56412 SYN SEQ=3375903323 LEN=0 WIN=3072
[192.168.0.3] [192.168.0.7] TCP: D=56412 S=135 SYN ACK=3375903324 SEQ=2260369583 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56412 RST WIN<<10=0
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56413 SYN SEQ=3375903324 LEN=0 WIN=3072
[192.168.0.3] [192.168.0.7] TCP: D=56413 S=135 SYN ACK=3375903325 SEQ=212338365 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.3] TCP: D=135 S=56413 RST WIN<<10=0
Once these probes are complete, nmap has the information it needs to compare to the nmap-os-fingerprints file. If there's a match, nmap will display the operating system in the nmap output. If there are multiple matches, nmap provides a message informing of the multiple matches:

Too many fingerprints match this host to give specific OS details

If the operating system fingerprinting didn't find any matches, this message is displayed:

No OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).

This web page contains an nmap fingerprint submission form for contributions to the nmap-os-fingerprints file. This page requests OS and classification information about the device, including an IP address so Fyodor can scan the device for additional fingerprint testing.

The operating system fingerprinting option needs to run as a privileged user. Otherwise this totally bogus message will appear, dude:

TCP/IP fingerprinting (for OS scan) requires root privileges which you do not appear to possess. Sorry, dude.