Operating system (OS) detection is a feature in Nmap that remotely scans a target host and presents details of its operating system if there is a match. TCP/IP stack fingerprinting is used to send a series of probes (e.g., TCP and UDP packets) to the specified host and examines the responses. The results are then compared to the
nmap-os-db database 2,600+ known OS fingerprints, and the details are printed if there is a match.
Note: Root privileges are required to properly perform the scan.
nmap -O <target>
OS detection is enabled with the
-O option and applied to a host
<target> (e.g., a URL or IP address).
The following options are available for OS detection:
--osscan-limit: Limits detection to only host targets with at least one open and one closed TCP port, and ignores hosts that do not meet this criteria.
--osscan-guess; --fuzzy: Presents possible results if a perfect OS match can’t be found.
- The match has to be very close for Nmap to do this by default. Either of these (equivalent) options make Nmap guess more aggressively. Nmap will still tell when an imperfect match is printed and display its confidence level (0% - 100%) for each guess.
--max-os-tries: Sets the maximum number of detection attempts against a target.
- By default, Nmap tries five times if conditions are favorable or two times when conditions aren’t so good. A specific amount of tries can be specified; the lower the amount, the quicker the scan.
-v: Provides more information from an OS detection scan, including an incremental ID for each IP packet header sent.
The following example runs a Nmap Scan and enables OS detection on the site scanme.nmap.org:
nmap -O scanme.nmap.org
Note: This is a site explicitly set up for testing Nmap. Scans should only be performed on domains with explicit permissions given to the user.
This results in the following output:
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-17 19:59 ESTNmap scan report for scanme.nmap.org (184.108.40.206)Host is up (0.089s latency).Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2fNot shown: 992 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh25/tcp filtered smtp80/tcp open http135/tcp filtered msrpc139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds9929/tcp open nping-echo31337/tcp open EliteDevice type: general purposeRunning: Linux 5.XOS CPE: cpe:/o:linux:linux_kernel:5OS details: Linux 5.0 - 5.4Network Distance: 10 hopsOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 6.96 seconds
Each fingerprint includes a freeform textual description of the OS, and a classification which provides the following:
- A vendor name (e.g., Sun)
- The underlying
OS detailsthat include the name and version (e.g.,
Linux 5.0 - 5.4)
- The device type (
game console, etc)
Most fingerprints also have a common platform enumeration (
OS CPE) representation, like