Although all systems use standards to communicate, every operating system communicates in subtle and unique ways. These differences allow nmap to determine what kind of equipment or what type of operating system is running on a remote device.
The nmap-os-fingerprints file is a collection of these unique responses. This collection is referenced during an nmap scan when the operating system fingerprinting (-O) option is selected. If nmap scans a device and the responses match a known fingerprint, the name of the device and operating system version will be displayed.
This is the fingerprint of Cisco voice over IP telephone:
----- Fingerprint Cisco 7960 SIP Phone running OS 4.2 Class Cisco | embedded || VoIP phone TSeq(Class=TD%gcd=<2A004%SI=<28%IPID=I%TS=U) T1(DF=N%W=3E8%ACK=S++%Flags=AS%Ops=M) T2(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T4(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N) -----Fyodor has written a comprehensive paper discussing the details of the OS fingerprinting process and the nmap fingerprints. The paper can be viewed here:
If a device does not appear in the nmap-os-fingerprint file and nmap is able to decisively "read" the fingerprint, a URL will be provided to contribute this new fingerprint to nmap's collection.
In the TCP/IP protocol architecture, TCP, UDP, and ICMP are usually described as riding "on top of" IP. IP is the foundation of the communication, and TCP, UDP, and ICMP are three of the protocols that work at a higher layer to accomplish their jobs. In fact, there are over one hundred and thirty different IP-based protocols. Each protocol is assigned a number, and this number is listed in the IP header. TCP is 6, UDP is 17, and ICMP is 1.
The nmap-protocols file is used during the IP protocol scan (-sO) to assign a known name to any protocols that might be found during the scan. If IP protocol number 8 responds to a scan, the nmap-protocols file is referenced:
----- tcp 6 TCP # Transmission Control cbt 7 CBT # CBT egp 8 EGP # Exterior Gateway Protocol igp 9 IGP # any private interior gateway (used by Cisco for their IGRP) bbn-rcc-mon 10 BBN-RCC-MON # BBN RCC Monitoring nvp-ii 11 NVP-II # Network Voice Protocol -----IP number 8 refers to Exterior Gateway Protocol (EGP), and nmap will show that EGP was active on this device.
Sun's Remote Procedure Call (RPC) architecture was created to provide a client computer with a way to execute procedures on a server. The RPC architecture is available on many different operating systems and platforms.
Using the RPC architecture, each program is assigned a unique hexadecimal number. When a client computer sends data to an RPC server, a program number is used to direct the RPC data to the correct application.
Nmap's RPC scan (-sR) will actively search known RPC applications based on the nmap-rpc file. Once nmap locates an RPC program, it correlates and displays the program name based on the nmap-rpc data. The grinding of this RPC information will automatically run when a version scan (-sV) is requested.
This is a sample from the nmap-rpc file. The columns correspond to the RPC program name, the hexadecimal RPC program number, and an alias or comment related to the program.
----- rpcbind 100000 portmap sunrpc rpcbind rstatd 100001 rstat rup perfmeter rstat_svc rusersd 100002 rusers nfs 100003 nfsprog nfsd ypserv 100004 ypprog mountd 100005 mount showmount -----
The nmap-service-probes file is used by the version scan (-sV) to determine the application type running on a system (http, ftp, telnet, etc.), the specific application name (Apache httpd, Microsoft IIS, etc.), the version number, and occasionally some additional application information.
This is a sample of an application fingerprint from the nmap-service-probes support file:
----- # UW POP2 server on Linux 2.4.18 match pop2 m|^\+ POP2 [-\[\].\w]+ v(20[-.\w]+) server ready\r\n$| v/UW POP2 server/$1// -----
The nmap-service-probes file is nmap-specific, and all of these service signatures have been built over time by a dedicated group of nmap users. The nmap team is always looking for new signatures! Additional information related to version scanning can be found on the nmap website at:
Nmap uses the nmap-services file to provide additional port detail for almost every scanning method. Every time a port is referenced, it's compared to an available description in this support file. If the nmap-services file isn't available, nmap reverts to the /etc/services file applicable for the current operating system.
Because the nmap-services list is derived from a compilation from many sources, it contains many more records than the Internet Assigned Numbers Authority (IANA) registered port list. Not all of these sources are documented, and many of these port numbers are unique to a single application from a single manufacturer. This list contains information that can apply to almost any network management application! For the latest version of this valuable non-official, non-registered port number list, visit
This is an excerpt from the nmap-services support file:
----- cisco-sccp 2000/tcp callbook sieve # cisco sccp, rfc3028 cisco-sccp 2000/udp callbook # cisco sccp dc 2001/tcp # or nfr20 web queries wizard 2001/udp # curry globe 2002/tcp globe 2002/udp cfingerd 2003/tcp lmtp # local mail transfer protocol, gnu finger -----