Operating system and version detection
There are some advanced options provided by Nmap, apart from port scanning. These options can help us gain more information about our target. One of the most widely used options is operating system identification [-O]. This can help us in identifying the operating system running on the target machine.
An operating system detection scan output is shown as follows:
msf > nmap -O 192.168.216.129
[*] exec: nmap -O 192.168.216.129
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-19 09:28 EDT
Nmap scan report for 192.168.216.129
Host is up (0.0012s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
...
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.91 seconds
msf >
The other widely used Nmap option is version detection [-sV] of different open ports on the target. It can be mixed with any of the scan types that we saw previously, to add an extra bit of information of what version of services are running on the open ports of the target:
msf > nmap -sV 192.168.216.129
[*] exec: nmap -sV 192.168.216.129
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-19 09:30 EDT
Nmap scan report for 192.168.216.129
Host is up (0.00049s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
...
irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.57 seconds
msf >
As we can see, an extra column of versions has been added in our scan output, which reports about the different versions of services running on the target machine.