Is it possible to detect the operating system type remotely from another system using any tools like nmap
without admin privileges? What are the other alternatives for achieving this?
-
More details please? You can use nmap to scan the target os and it will make a good guess.... php scripts can also do it using $_SESSION[HTTP_USER_AGENT] but they would have to visit the page. – TheHidden Mar 26 '16 at 02:30
-
Here is a link that explains how nmap can perform OS detection and the appropriate command syntax. https://nmap.org/book/man-os-detection.html – Mar 26 '16 at 04:27
-
You might find the [`p0f`](http://lcamtuf.coredump.cx/p0f3/) utility useful for this sort of thing. – Castaglia Mar 29 '16 at 06:50
-
No OS detection is performed when not using root user, no traceroute either. Yes you will be able to perform -A scan, but only with service discovery, just as you would with -sV flag. – Sab Jun 26 '19 at 01:15
-
Do you have a reference or a source that backs up the claim that "No OS detection is performed when not using root user"? This is the whole point of the question. – schroeder Jun 26 '19 at 06:48
3 Answers
Using nmap:
sudo nmap -O <target>
Or if they block your ping probes you can do:
sudo nmap -O <target> -Pn
Sometimes you still get fake results and you should try doing an aggressive scan (can be detected and blocked by the firewall).
sudo nmap -A <target>
- 1,802
- 1
- 13
- 27
-
4OP asks explicitly for methods that work without admin privileges. I don't know why OP does, but this does not answer the question. – Tobi Nary Mar 26 '16 at 12:24
-
If I use "sudo nmap -O
" or "sudo nmap -A – user45475 Apr 02 '16 at 23:54" it prompts for password. My intention to find the OS type without using admin privileges and any passwords. -
If I use "nmap -O
-Pn" it says replies as "TCP/IP fingerprinting (for os scan) requires root privileges. – user45475 Apr 02 '16 at 23:56
You could use use the -T4 option together with the -A. No sudo is required (Tested on Ubuntu).
$ nmap -T4 -A 192.168.0.0/24
Would return for instance:
Nmap scan report for 192.168.0.95
Host is up (0.00060s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (DSA)
|_2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (RSA)
80/tcp open http nginx 1.1.19
|_http-title: 403 Forbidden
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 46448/tcp mountd
| 100005 1,2,3 52408/udp mountd
| 100021 1,3,4 35394/udp nlockmgr
| 100021 1,3,4 57150/tcp nlockmgr
| 100024 1 49363/tcp status
| 100024 1 51515/udp status
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
The -A tells nmap to perform OS checking and version checking. The -T4 is for the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.
- 161
- 1
- 5
You could use the nmap smb-os-discovery.nse script it should for the most part give you the right answers. It doesn't work on some versions of windows 10 though.
nmap --script smb-os-discovery.nse -p445 127.0.0.1
- 2,938
- 6
- 25
- 31
- 121
- 3