Home > Security > Using NMAP for OS Detection and Versioning

Using NMAP for OS Detection and Versioning

Introduction
Anyone studying for CEH will need to become familiar with using NMAP (Network Mapper) and some of its basic command line syntax. The tool is the creation of Gordon “Fydoor” Lyon and can be downloaded from http://nmap.org/. It’s an old school favorite and should be part of any hacker’s arsenal.   It’s also included as one of the 100 Security Tools listed on Insecure.org.

Its popularity hasn’t led to many books written on the tool. A quick search of Amazon produced 3 books written on the matter, one of which was by its creator “NMAP Network Scannning: The Offical NMAP Project Guide To Network Discovery and Security Scanning”.  I haven’t read an official book on NMAP as of yet but am planning to make a trip to barnes and nobles and check it out. 

NMAP Categories
Once installed NMAP must be used from the command prompt and the simple act of typing NMAP will produce a long list of its functionality based on categories. Its complete usage is beyond the scope of this article but its main categories are as follows:

Target Specification
Host Discovery
Scan Techniques
Port Specification and Scan Order
Service/Version Detection
Script Scan
OS Detection
Timing and Performance
Firewall/IDS Evasion and Spoofing
Output
Misc
 
The categories that the CEH exam focuses in on I’ve bolded so try and spend a significant amount of time familiarizing yourself with its corresponding syntax and you’ll be able to answer almost any NMAP question on the exam.  It wouldn’t hurt playing with all the commands at least once. 

NMAP OS Detection
Not only can NMAP be used to discover hosts on a network but it’s also capable of doing a “best effort” guess at determining its Operation System. Half the battle of comprising a machine is knowing what you’re up against. Although the results of a scan might determine that a machine is listening on port 80, without knowing its corresponding OS and Web Server version makes the task of attempted compromise a “shot in the dark” methodology.

 NMAP tries to help solve this dilemma by using OS and Version detection. The following commands (categories included) would be most helpful here:

 

 

Using NMAP
First step of network recon is to determine what machines are active on the network. Let’s assume I’ve done that already using and NMAP ping sweep (NMAP –sP 192.168.10.0/24). I’ve gotten one response from 192.168.10.252. Next step is enumeration which can be done using any of the previously defined NMAP scans. Let’s start with OS Detection



Hmmm….The scan is unable to determine the OS Version. So let’s move onto trying to determine the Service Versions.

Even though I don’t know what OS it’s running, I can deduce from the following that it’s running Windows Server 2008 because only that version supports IIS version 7.o.

 80/tcp open http Microsoft IIS Webserver 7.0

 At this time there would be no reason to run an NMAP –A (os and versioning) scan as the results would be the same.

 Conclusion
Ths was just the tip of the iceberg when it comes to NMAP. These basic scan techniques will certainly give you leg up in taking the exam and the results will come in handy when trying to decide what exploit to run against the target machine using a tool like MetaSploit…

Additional Reading

Chap 8: Remote OS Detection

TOP 2 OS Detection Tools

Advertisements
Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: