Advantages of Operating System Fingerprinting
The operating system fingerprinting process provides detailed information about the operating system running on a device. In some cases, the exact version number of the operating system and detailed hardware information can be determined with the OS fingerprinting option.
Some organizations have policies forbidding certain operating systems from attaching to the network. The OS fingerprinting option can assist with locating systems that are out of compliance, and can also provide information about the operating system running on the "rogue" station. When this option is combined with the version scan (-sV), specific services can also be checked for compliancy.
The OS fingerprinting process is a simple set of queries, and most of the frames are relatively harmless. It's amazing the level of the detail that can be determined based on the nuances of simple packet responses from another device. This process never opens an application session, which makes the results even more amazing!
Disadvantages of Operating System Fingerprinting
The OS fingerprinting process requires privileged user access. This scan will not run if a non-privileged user attempts to use the –O option.
Although there are only about thirty frames that traverse the network during an OS fingerprinting process, some of the frames used to query the remote device are frame types that would never occur on a normal network. For example, it's unusual to see a frame with the SYN, FIN, PSH, and URG flags that would also include numerous TCP options. A trained eye will quickly identify these unusual frames, assuming that someone is watching the network during that timeframe.
The operating system fingerprinting option is often integrated into many organization's compliance checks. If an outdated or unexpected operating system is seen on the network, the security group can follow their policies to identify and remove the noncompliant station from the network.
In some cases, a particular operating system may have known vulnerabilities that need to be patched. The OS fingerprinting process can assist with locating all of the specific operating system versions on the network, ensuring that organization's vulnerable holes will be patched.
If nmap can identify this level of operating system detail without ever launching an application session or authenticating, then anyone else on the network can obtain the same information! The OS fingerprinting process can help the security team understand what everyone else can see, which will assist in making the network and firewall infrastructure even more secure.
Limit Operating System Scanning (--osscan_limit)
The operating system fingerprinting process is most accurate when both open ports and closed ports are available for testing. If only one type of port is available, the fingerprinting process will not be as precise. In this situation, nmap provides a warning message:
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP portThe fingerprinting process will still function, but the results will not be optimal.
If the fingerprinting process needs to be as accurate as possible, the –-osscan_limit option will abort OS fingerprinting if both open and closed ports aren't available. This will ensure that OS fingerprinting will run only if the conditions are perfect. This also saves time if a remote device is identified but the port disposition is in question because of firewalls or packet throttling on the remote device.
If many devices will be scanned, this option can save a lot of time!
More Guessing Flexibility (--osscan_guess, --fuzzy)
The –-osscan_guess option is relatively unknown, but that's probably because it's not well documented. A section in the CHANGELOG refers to the option as "secret." The --fuzzy option is an alias for --osscan_guess.
The --osscan_guess option forces nmap to "guess" when operating system fingerprinting can't find a perfect match. Occasionally, nmap will decide to invoke this option automatically if certain parameters are met.
Additional, Advanced, and Aggressive (-A)
The aptly named Additional, Advanced, and Aggressive option (-A) is a shortcut for running both the operating system fingerprinting process (-O) and the version scanning process (-sV) during the same nmap scan. This shortcut still requires a port scan to locate open and closed ports, but there's only one abbreviation to remember if both options are required.
The –A option only adds the operating system fingerprinting and version detection options. It doesn't change or add any scan types or option settings.
According to the nmap man page, Fyodor reserves the right to expand on this option in the future. Currently, this option is intended to be time saver, and nothing more.