13

Is it possible to detect the operating system type remotely from another system using any tools like nmap without admin privileges? What are the other alternatives for achieving this?

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
user45475
  • 1,030
  • 2
  • 9
  • 14
  • More details please? You can use nmap to scan the target os and it will make a good guess.... php scripts can also do it using $_SESSION[HTTP_USER_AGENT] but they would have to visit the page. – TheHidden Mar 26 '16 at 02:30
  • Here is a link that explains how nmap can perform OS detection and the appropriate command syntax. https://nmap.org/book/man-os-detection.html –  Mar 26 '16 at 04:27
  • You might find the [`p0f`](http://lcamtuf.coredump.cx/p0f3/) utility useful for this sort of thing. – Castaglia Mar 29 '16 at 06:50
  • No OS detection is performed when not using root user, no traceroute either. Yes you will be able to perform -A scan, but only with service discovery, just as you would with -sV flag. – Sab Jun 26 '19 at 01:15
  • Do you have a reference or a source that backs up the claim that "No OS detection is performed when not using root user"? This is the whole point of the question. – schroeder Jun 26 '19 at 06:48

3 Answers3

13

Using nmap:

sudo nmap -O <target>

Or if they block your ping probes you can do:

sudo nmap -O <target> -Pn

Sometimes you still get fake results and you should try doing an aggressive scan (can be detected and blocked by the firewall).

sudo nmap -A <target>
Lucian Nitescu
  • 1,802
  • 1
  • 13
  • 27
  • 4
    OP asks explicitly for methods that work without admin privileges. I don't know why OP does, but this does not answer the question. – Tobi Nary Mar 26 '16 at 12:24
  • If I use "sudo nmap -O " or "sudo nmap -A " it prompts for password. My intention to find the OS type without using admin privileges and any passwords. – user45475 Apr 02 '16 at 23:54
  • If I use "nmap -O -Pn" it says replies as "TCP/IP fingerprinting (for os scan) requires root privileges. – user45475 Apr 02 '16 at 23:56
5

You could use use the -T4 option together with the -A. No sudo is required (Tested on Ubuntu).

$ nmap -T4 -A 192.168.0.0/24

Would return for instance:

 Nmap scan report for 192.168.0.95
 Host is up (0.00060s latency).
 Not shown: 996 closed ports
 PORT STATE SERVICE VERSION
 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0)
 | ssh-hostkey: 1024 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (DSA)
 |_2048 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:6c (RSA)
 80/tcp open http nginx 1.1.19
 |_http-title: 403 Forbidden
 |_http-methods: No Allow or Public header in OPTIONS response (status code 405)
 111/tcp open rpcbind
 | rpcinfo:
 | program version port/proto service
 | 100000 2,3,4 111/tcp rpcbind
 | 100000 2,3,4 111/udp rpcbind
 | 100003 2,3,4 2049/tcp nfs
 | 100003 2,3,4 2049/udp nfs
 | 100005 1,2,3 46448/tcp mountd
 | 100005 1,2,3 52408/udp mountd
 | 100021 1,3,4 35394/udp nlockmgr
 | 100021 1,3,4 57150/tcp nlockmgr
 | 100024 1 49363/tcp status
 | 100024 1 51515/udp status
 | 100227 2,3 2049/tcp nfs_acl
 |_ 100227 2,3 2049/udp nfs_acl
 2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
 Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

The -A tells nmap to perform OS checking and version checking. The -T4 is for the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.

user9869932
  • 161
  • 1
  • 5
1

You could use the nmap smb-os-discovery.nse script it should for the most part give you the right answers. It doesn't work on some versions of windows 10 though.

nmap --script smb-os-discovery.nse -p445 127.0.0.1

peterh
  • 2,938
  • 6
  • 25
  • 31