Can Linux Distro be determined by remote scan?


I received the following message from a network administrator

A scan from the campus nessus scanner detected the above named device as running Ubuntu 11.10

Is it actually possible to detect the distro through a remote scan?


I am not 100% sure how nessus got the distribution of linux you are running, but the answer in general is YES, it can find a lot about your system if the system is not secured but being let run as it was installed from the original installation media.

Nessus, by its nature, attacks the ports that are known to be left open by the default system installation. Let this be Linux or any other Unix or the Redmond's finest OS, nessus tries to exploit the open ports.

This document at nessus blog can explain the OS determination operation a lot better that I can.


Short answer: yes.

Several services like ftp or ident or webservers show operating system + version. For example 404 sites sometimes include the name of the webserver, domain name, port, and operating system.

To interprete your case any further we would need additional information regarding the running services and the ports that you have open. It is also interesting to hear about what you mean with 'above named device'.


Yes. OS's have network fingerprints.


Many services reveal information about themselves via the communication protocol. It's a vital part of establishing communication in some cases. Seeing as how most distros are binary based, with the implication that the user will most likely never tamper with the binaries to conceal (heck, even if the distro is source based the user won't bother) information about the services.

It is dead easy to compile a list of "known service names" and use nmap to identify the OS.

I bet it is even possible, given sufficient knowledge about the IP/TCP implementation on the various OSes, to determine the kernel version of the OS using solely the TCP responses from a "secured" service. Come to think of it, even ping responses can have a signature.

For someone devoted to this kind of activity (gaining access to remote hosts), the act of identifying viable targets is the first and most trivial task to accomplish. I've never even thought about this stuff and with a carefully worded search, it's easy to find a wealth of examples such as:

$ nmap -sV -vv -PN  eee.lan
Starting Nmap 6.01 ( ) at 2013-04-05 23:57 ope
Initiating ARP Ping Scan at 23:57
Scanning eee.lan ( [1 port]
Initiating SYN Stealth Scan at 23:57
Scanning eee.lan ( [1000 ports]
Discovered open port 80/tcp on
Discovered open port 445/tcp on
Discovered open port 139/tcp on
Discovered open port 22/tcp on
Discovered open port 111/tcp on
Initiating Service scan at 23:57
Scanning 5 services on eee.lan (
Initiating RPCGrind Scan against eee.lan ( at 23:57
NSE: Script scanning
Nmap scan report for eee.lan (
rDNS record for eee.lan
Scanned at 2013-04-05 23:57:46 ope for 11s
22/tcp  open  ssh                    OpenSSH 5.8p1-hpn13v10lpk (protocol 2.0)
80/tcp  open  http                   bozohttpd 20100621
111/tcp open  rpcbind (rpcbind V2-4) 2-4 (rpc #100000)
139/tcp open  netbios-ssn            Samba smbd 3.X (workgroup: MYGROUP)
445/tcp open  netbios-ssn            Samba smbd 3.X (workgroup: MYGROUP)
MAC Address: 00:26:18:97:B7:0B (Asustek Computer)

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.048KB)

The interesting info here would be: OpenSSH 5.8p1-hpn13v10lpk That alone could enable someone to guess what OS I'm running. Just search for "hpn13v10lpk"...

Ярослав Рахматуллин

