How to interpret TCP/ip fingerprint when scanning for OS?
Solution 1
I looked up that OS:SCAN V=5.05 and I found this
http://nmap.org/book/osdetect-unidentified.html
The following below, is straight from that nmap link above.
Notice it also has the string V=5.05BETA1 So, output very similar to yours
When Nmap Fails to Find a Match and Prints a Fingerprint
When Nmap detects that OS detection conditions seem ideal and yet it finds no exact matches, it will print out a message like this:
No OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
> TCP/IP fingerprint:
> OS:SCAN(V=5.05BETA1%D=8/23%OT=22%CT=1%CU=42341%PV=N%DS=0%DC=L%G=Y%TM=4A91CB
> OS:90%P=i686-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%TS=A)OPS(O1
> OS:=M400CST11NW5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11NW5%O5=M400CS
> OS:T11NW5%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)
> OS:ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
> OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW
> OS:5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W
> OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
> OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%U
> OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Please consider submitting the fingerprint so that all Nmap users can benefit. It only takes a minute or two and it may mean you don't need to see that ugly message again when you scan the host with the next Nmap version! Simply visit the URL Nmap provides for instructions.
If Nmap finds no matches and yet prints no fingerprint, conditions were not ideal. Even if you obtain the fingerprint through debug mode or XML output, please don't submit it unless Nmap asks you to (as in the previous example).
Solution 2
The fingerprinting does a several measurements which are then compared to a database of previously known Operating System fingerprints to find a match.
It isn't really meant to be read so much as submitted along with the know OS to expand the fingerprint database. Inside of OS: each probe is listed as PROBNAME(DATA)
SCAN(V=5.05BETA1%D=8/23%OT=22%CT=1%CU=42341%PV=N%DS=0%DC=L%G=Y%TM=4A91CB90%P=i686-pc-linux-gnu)
SEQ(SP=C9%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M400CST11NW5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11NW5%O5=M400CST11NW5%O6=M400CST11)
WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)
ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW5%RD=0%Q=)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
One common way that is listed to the examples in the nmap documentation is to also scan for versions with:
nmap -sV -O -v hostname
The services and versions reported will usually let you tell what device or type of device it is even if the OS detection itself gives you little. For example if the web server gets a version line like:
80/tcp open http Apache httpd 2.2.15 ((CentOS))
Related videos on Youtube
ina
Updated on September 18, 2022Comments
-
ina over 1 year
I run the command : nmap -O ip_address to identify the os and I have the result below:
OS:SCAN(V=5.05BETA1%D=8/23%OT=22%CT=1%CU=42341%PV=N%DS=0%DC=L%G=Y%TM=4A91CB OS:90%P=i686-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%TS=A)OPS(O1 OS:=M400CST11NW5%O2=M400CST11NW5%O3=M400CNNT11NW5%O4=M400CST11NW5%O5=M400CS OS:T11NW5%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000) OS:ECN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW5%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+ OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW OS:5%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%U OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Please can you help me how can I find the most likely OS on this scanned computer? How can I interpret this result... What suggests that the os may be Linux for example,and what suggests that it may be another os , for example Windows? I am trying so much to understand it, but nothing til now... Please help me. Thanks in advance
-
LawrenceC over 10 yearsI see i686-pc-linux-gnu in there. Could that be it?
-
ina over 10 yearsyes i have seen it. but in another case i had P=XXXX instead of P=i686-pc-linux-gnu. What would I do in that case?
-
barlop over 10 years@anna I think the answer given in that similar question, is to use nmap like this nmap -sV -O -v hostname I've seen -sV before for getting nmap to tell you something though I recall it telling the version of the server. So, if that's no good, perhaps you can add about that in your question?
-
barlop over 10 yearsEven this site that mentions what that stuff means nmap.org/nmap-fingerprinting-article.txt says to do something like nmap -sS -p 80 -O -v <host> So the output you'r emeant to read wouldn't look like that stuff you posted.
-
anna over 10 yearsBUt I HAVE ONLY THE RESULT AND i SHOULD INTERPRET IT. I cant use another command...I should guess the OS by the result above...IS there any way to interpret the rows above, because I dont understand..
-
barlop over 10 yearsapparently nmap doesn't know so you can submit it to nmap.. That link mentions something about reading it but I doubt it will tell you much 'cos it seems from my attempt at reading a link(mentioned in my answer), thatnmap itself doesn't know and that's why it's displaying that.
-
anna over 10 yearsso it isnt any way I can guess it?
-
barlop over 10 years@anna Not that I know of but i'm nowhere near expert. You could ask on the nmap mailing list.
-