How does nmap os detection work

Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. How does OS detection work in practice? Ask Question. Asked 9 years, 8 months ago. Active 5 years, 2 months ago. Viewed 3k times. Improve this question. Rox Rox 3 3 gold badges 9 9 silver badges 17 17 bronze badges.

Add a comment. Active Oldest Votes. So the difference between 0x followed by 0x is 0xB This test value then records the greatest common divisor of all those elements. This value reports the average rate of increase for the returned TCP initial sequence number. Recall that a difference is taken between each two consecutive probe responses and stored in the previously discussed diff1 array.

Those differences are each divided by the amount of time elapsed in seconds—will generally be about 0. The array has one element for each diff1 value.

An average is taken of the array values. If that average is less than one e. Otherwise ISR is eight times the binary logarithm log base-2 of that average value, rounded to the nearest integer. While the ISR test measures the average rate of initial sequence number increments, this value measures the ISN variability. It roughly estimates how difficult it would be to predict the next ISN from the known sequence of six probe responses. This test is only performed if at least four responses were seen.

We don't do the division for smaller GCD values because those are usually caused by chance. A standard deviation of the array of the resultant values is then taken. If the result is one or less, SP is zero. Otherwise the binary logarithm of the result is computed, then it is multiplied by eight, rounded to the nearest integer, and stored as SP.

Please keep in mind that this test is only done for OS detection purposes and is not a full-blown audit of the target ISN generator. There are many algorithm weaknesses that lead to easy predictability even with a high SP value. There are three tests that examine the IP header ID field of responses. For each of these tests, the target's IP ID generation algorithm is classified based on the algorithm below.

Minor differences between tests are noted. Note that difference values assume that the counter can wrap. So the difference between an IP ID of 65, followed by a value of is 1, The difference between 2, followed by 1, is 64, Here are the calculation details:. This result isn't possible for II because there are not enough samples to support it.

If any of the differences between two consecutive IDs exceeds 1,, and is not evenly divisible by , the test's value is RI random positive increments.

If the difference is evenly divisible by , it must be at least , to cause this RI result. If all of the differences are divisible by and no greater than 5,, the test is set to BI broken increment.

This happens on systems like Microsoft Windows where the IP ID is sent in host byte order rather than network byte order. It works fine and isn't any sort of RFC violation, though it does give away host architecture details which can be useful to attackers.

If all of the differences are less than ten, the value is I incremental. We allow difference up to ten here rather than requiring sequential ordering because traffic from other hosts can cause sequence gaps. If none of the previous steps identify the generation algorithm, the test is omitted from the fingerprint. If our six TCP IP ID values are , , , , , and , then our ICMP results are and , it is clear that not only are both sequences incremental, but they are both part of the same sequence.

If SS is included, the result is S if the sequence is shared and O other if it is not. That determination is made by the following algorithm:.

Otherwise it is O. TS is another test which attempts to determine target OS characteristics based on how it generates a series of numbers.

It examines the TSval first four bytes of the option rather than the echoed TSecr last four bytes value. It takes the difference between each consecutive TSval and divides that by the amount of time elapsed between Nmap sending the two probes which generated those responses.

The resultant value gives a rate of timestamp increments per second. Nmap computes the average increments per second over all consecutive probes and then calculates the TS as follows:.

If any of the responses have no timestamp option, TS is set to U unsupported. If any of the timestamp values are zero, TS is set to 0. If the average increments per second falls within the ranges These three ranges get special treatment because they correspond to the 2 Hz, Hz, and Hz frequencies used by many hosts.

In all other cases, Nmap records the binary logarithm of the average increments per second, rounded to the nearest integer. Since most hosts use 1, Hz frequencies, A is a common result. This test records the TCP header options in a packet. It preserves the original ordering and also provides some information about option values. Because RFC doesn't require any particular ordering, implementations often come up with unique orderings.

Some platforms don't implement all options they are, of course, optional. When you combine all of those permutations with the number of different option values that implementations use, this test provides a veritable trove of information.

The value for this test is a string of characters representing the options being used. Several options take arguments that come immediately after the character.

Supported options and arguments are all shown in Table 8. Next comes a window scale option with a value of three, then two more NOPs. The final option is a timestamp, and neither of its two fields were zero. If there are no TCP options in a response, the test will exist but the value string will be empty.

If no probe was returned, the test is omitted. While this test is generally named O , the six probes sent for sequence generation purposes are a special case. Those are inserted into the special OPS test line and take the names O1 through O6 to distinguish which probe packet they relate to.

Despite the different names, each test O1 through O6 is processed exactly the same way as the other O tests. This test simply records the bit TCP window size of the received packet. It is quite effective, since there are more than 80 values that at least one OS is known to send. A down side is that some operating systems have more than a dozen possible values by themselves.

This leads to false negative results until we collect all of the possible window sizes used by an operating system. While this test is generally named W , the six probes sent for sequence generation purposes are a special case. The window size is recorded for all of the sequence number probes because they differ in TCP MSS option values, which causes some operating systems to advertise a different window size. Despite the different names, each test is processed exactly the same way.

This test simply records whether the target responded to a given probe. Possible values are Y and N. If there is no reply, remaining fields for the test are omitted. A risk with this test involves probes that are dropped by a firewall. Thus the firewall could prevent proper OS detection. After all, the lack of a closed port may be because they are all filtered. The IP header contains a single bit which forbids routers from fragmenting a packet.

This test records Y if the bit is set, and N if it isn't. This is simply a modified version of the DF test that is used for the special IE probes. It compares results of the don't fragment bit for the two ICMP echo request probes sent. Log in Register. Search titles only. Search Advanced search….

New posts. Search forums. Log in. Forums Linux. JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding. You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser. Thread starter Jarret B Start date May 29,