• 8,275
  • 91
  • +473
  • 568
How to Know Victim Operating System – Scanning Using Nmap

How to Know Victim Operating System – Scanning Using Nmap

Bookmark

Type : Tutorial

Level : Easy

O.S on network : Windows 2000, Windows XP SP3, Debian 6

Scanner O.S : Backtrack 5 R1

Application version : Nmap 5.59BETA1 (http://nmap.org)

In a few months ahead I will be a little bit busy with my master class, this class become harder because the professor teach me using Chinese :-P , but don't worry I will still spent time to write tutorial here but not often as usual, you still can catch up with me in my facebook page here and twitter page here for the latest update from this site. I also want to say sorry for you who already wrote in request tutorial page or contact me page about request tutorial or ask a question because there's so many reader wrote there, but i'LL try the best as I can :-) .

Today I will write tutorial about How to Know Victim Operating System using Nmap and also how to evade the IDS or firewall to catch our real IP, because there's some readers wrote in my Request Tutorial page that they didn't know how to do that. Maybe for you who already learn about scanning a network or something similar with this, you will feel familiar with this tutorial.

There are 2 version of Nmap, console mode and GUI mode(Zenmap) but do not worry, because the usability and ability was similar and you just choose which one you want to use and most suitable with you(in this tutorial I'LL use the console mode).

What is nmap?

According to its website, Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Scanner IP Address : 192.168.8.93

Requirement :

1. Nmap (nmap.org)

Step by Step :

1. Open your console (CTRL + ALT + T) and then type nmap command to view the help. Actually from this help page you can read yourself because there's so many options you can use to perform your scanning technique.

2. The simple or basic scanning technique was just run your nmap following with a target IP address.

v4L@bt:~# nmap 192.168.8.91

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-16 21:24 CST
Nmap scan report for localhost (192.168.8.91)
Host is up (0.00070s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2869/tcp open  icslap
MAC Address: 08:00:27:7E:C9:A3 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds

How to Know Victim Operating System - Scanning Using Nmap

3. Nmap also can scan a whole of your network address to know which host alive or dead (try by yourself).

v4L@bt:~# nmap 192.168.8.0/24

Information :

if your IP was 192.168.1.9, then your nmap command should be nmap 192.168.1.0/24 but you can learn more about this CIDR notation in computer networking.

If you see the nmap help, there's so many switch you can use but in this tutorial I will not describe all of that switch because you can read more on nmap official website help page.

-v : Increase verbosity level (use -vv or more for greater effect)

-S <IP_Address> : Spoof source address -- used to trick the firewall/IDS

-e <iface> : Use specified interface

-Pn : Treat all hosts as online -- skip host discovery

-sV : Probe open ports to determine service/version info -- very useful to get detailed information about the service

-T<0-5> : Set timing template (higher is faster)--see picture below

-O : Enable OS detection

How to Know Victim Operating System - Scanning Using Nmap

4. I will use the above switch to perform a scanning in my network.

v4L@bt:~# nmap -S 192.168.8.123 -e eth0 -Pn -sV -T4 -v -O 192.168.8.0/24

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-16 20:46 CST
NSE: Loaded 9 scripts for scanning.
Initiating ARP Ping Scan at 20:46
Scanning 256 hosts [1 port/host]
Completed ARP Ping Scan at 20:46, 1.55s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 20:46
Completed Parallel DNS resolution of 256 hosts. at 20:46, 0.00s elapsed
Nmap scan report for 192.168.8.0 [host down]

--CODE SNIP IT'S TOO LONG--

Nmap scan report for localhost (192.168.8.88)
Host is up (0.0012s latency).
All 1000 scanned ports on localhost (192.168.8.88) are filtered
MAC Address: 12:34:56:78:90:12 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Nmap scan report for localhost (192.168.8.90)
Host is up (0.021s latency).
Not shown: 993 filtered ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  netbios-ssn
554/tcp   open  rtsp?
2869/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5357/tcp  open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
MAC Address: 00:21:5D:F4:3A:D8 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 1 hop
Service Info: OS: Windows

Nmap scan report for localhost (192.168.8.91)
Host is up (0.0020s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp?
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open  http         Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
MAC Address: 08:00:27:7E:C9:A3 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.59BETA1%D=9/16%OT=21%CT=1%CU=32221%PV=Y%DS=1%DC=D%G=Y%M=080027%
OS:TM=4E73458A%P=i686-pc-linux-gnu)SEQ(CI=I%II=I%TS=0)SEQ(CI=I%II=I)OPS(O1=
OS:M5B4NW0NNT00NNS%O2=%O3=%O4=%O5=%O6=)OPS(O1=NNT11%O2=%O3=%O4=%O5=%O6=)WIN
OS:(W1=FAF0%W2=0%W3=0%W4=0%W5=0%W6=0)ECN(R=Y%DF=N%T=80%W=0%O=%CC=N%Q=)T1(R=
OS:Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y%T=80%S=O%A=O%F=AS%RD=0%Q=)
OS:T1(R=Y%DF=Y%T=80%S=O%A=O%F=A%RD=0%Q=)T2(R=Y%DF=N%T=80%W=0%S=Z%A=S%F=AR%O
OS:=%RD=0%Q=)T3(R=Y%DF=N%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=80%
OS:W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=N%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=80%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=S%T=80%CD=Z)

Network Distance: 1 hop
Service Info: OS: Windows

Nmap scan report for localhost (192.168.8.92)
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE              VERSION
80/tcp  open  http                 Apache httpd 2.2.16 ((Debian))
111/tcp open  rpcbind (rpcbind V2) 2 (rpc #100000)
MAC Address: 08:00:27:8E:01:56 (Cadmus Computer Systems)
OS fingerprint not ideal because: Didn't receive UDP response. Please try again with -sSU
No OS matches for host
Network Distance: 1 hop

Nmap scan report for localhost (192.168.8.94)
Host is up (0.0026s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd 5.0
23/tcp   open  telnet        Microsoft Windows 2000 telnetd
25/tcp   open  smtp          Microsoft ESMTP 5.0.2195.2966
80/tcp   open  http          Microsoft IIS httpd 5.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  https?
445/tcp  open  microsoft-ds  Microsoft Windows XP microsoft-ds
1025/tcp open  NFS-or-IIS?
1026/tcp open  LSA-or-nterm?
MAC Address: 08:00:27:33:FD:68 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 SP0
Network Distance: 1 hop
Service Info: Host: 2000sp2; OS: Windows

Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (6 hosts up) scanned in 127.68 seconds
           Raw packets sent: 9126 (410.968KB) | Rcvd: 4191 (169.016KB)

5. I give different color in nmap scan result. As you can see, in my subnet there's 5 hosts marked as up and alive. The first host(blue color) was my O.S with firewall installed. Below was the picture when my firewall detected some alert in my PC.

How to Know Victim Operating System - Scanning Using Nmap

As you can see from the alert above, the firewall detected that connection came from IP Address 192.168.8.123 but the real scanner IP address was 192.168.8.93 that's because the -S, -e and -Pn switch I've used in scanning method.

6. When you do a scan, and you get some open port in 135 or 139 or 445 that machine should be a Windows machine.

Because nmap was also an application and created by human, so maybe there's some inaccurate result when this program scans the network especially when guess the Operating System.

7. If there's no open port 135 or 139 or 445, it should be another Operating System, maybe Linux or Mac OSX, Solaris, etc(see the brown color – 192.168.8.92). To know what operating system, actually there's many ways but here I will try simple banner grabbing by telnet to the opening port of that host.

How to Know Victim Operating System - Scanning Using Nmap

There it is…that host was running a Debian Operating System. :-)

Countermeasures :

1. Install a firewall to block requests from scanner

2. If you have some service running and there's an open port, mask or delete the server information when an error triggered.

Hope you enjoyed :-)

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

Leave a Reply

Your email address will not be published. Required fields are marked *