How to identify the machine OS remotely.

Comment by Sitaram Pamarthi on April 8, 2009 at 5:06pm

people, let me know if you know any other simple way than this when you don't have any kind of access to the remote machine. Looking forward for your valuable comments.

Comment by Paul Stoklosa on April 8, 2009 at 5:19pm

a nmap (zenmap) scan can tell you the open ports, which will give you a clue.windows often has ports like 445 and 139 open, while 22 ssh is usually a *nix.

Comment by Sitaram Pamarthi on April 8, 2009 at 5:26pm

I think unix box also will show these NETBIOS ports if it has samba. Am I wrong? :-(

Comment by Robert Chipperfield on April 8, 2009 at 8:10pm

nmap will also do some really cool OS detection using things like the way it responds to invalid states in a TCP connection and so on - there's a bunch of fingerprinting methods.

So against one of my Fedora VMs, I get the following:
MAC Address: 00:0C:29:07:4F:B3 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.15 (x86)
Uptime: 2.268 days (since Mon Apr 06 13:42:03 2009)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros

And a Win2K3 machine:
MAC Address: 00:19:D1:E3:AF:31 (Intel)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

Grin :-D

Comment by Michael H. Maciukiewicz Jr. on April 13, 2009 at 6:29am

Depending on the TTL on a ping response is very unreliable. Perhaps you did not include Linux when you you referred to Unix, as checking 3 different Linux distributions, none had a TTL set for anything other than 65:

$ cat /proc/sys/net/ipv4/ip_default_ttl
64

This value is also easily adjusted as well so there is no guarantee the system is using the OS default.

Comment by Michael H. Maciukiewicz Jr. on April 13, 2009 at 6:35am

Oh and as far as methods to determine the OS remotely, the nmap OS detection as previously mentioned is one of the better ways. Unless there is reason to think the admin of the remote system is trying to make OS detection difficult, you can also check service banners. Many services happily inform you of their version and sometimes even the OS version as well. Telnetting to port 25 or 80 often provides you with OS and daemon versions, as many webserver and MTA default configurations have banners enabled.

Comment by Sitaram Pamarthi on April 13, 2009 at 6:49am

Thanks for your thoughts. Good learning for me :-). But will nmap work without admin rights on remote machine?

Comment by Paul Stoklosa on April 13, 2009 at 8:16pm

yes, nmap really just scans the ports that are open, and analyzes the responses. layer 4 of the osi model, so OS rights on the machine are irrelevant.

Comment by Dan C on April 14, 2009 at 9:33am

A handful of nmap's features, including OS detection, requires raw socket support. Which assumes root privileges under Unix or the ability to install/use libpcap under Windows. So your mileage may vary.

Comment by Robert Chipperfield on April 16, 2009 at 10:46am

Dan C - true, but that's root / admin on the PC doing the scanning, rather than the target PC, which I think is a rather less onerous requirement :-)

Comment

• ‹ Previous
• 1
• 2
• Next ›
• Page