Operating System (OS) fingerprinting and service identification are critical components of active reconnaissance in cybersecurity. These processes involve analyzing characteristics of a networked system to determine the OS it's running and the services it's hosting. By understanding the specific OS and services, attackers or security professionals can tailor their approach, exploiting known vulnerabilities or configurations typical to those systems. OS fingerprinting often relies on variations in network protocol implementations, while service identification can involve sending specific requests to ports and analyzing responses.
Nmap (Network Mapper)
nmap-Otarget# Initiates an OS detection scan, which uses TCP/IP stack fingerprinting to identify the operating system of the target host.nmap-sVtarget# Probes open ports on the target to determine service/version information.nmap-Atarget# Enables OS detection, version detection, script scanning, and traceroute, providing a comprehensive overview of the target.nmap--osscan-guesstarget# Forces Nmap to guess more aggressively about the OS detection when it's not sure.nmap-sRtarget# Performs RPC (Remote Procedure Call) scan to identify RPC services on the target.nmap-sV--version-intensity5target# Sets the intensity level of version detection to the most aggressive (level 5) to gather detailed service information.nmap-sV--version-lighttarget# Performs a lighter version of service scanning, which is less aggressive and faster but potentially less accurate.nmap--version-tracetarget# Outputs detailed information about the version scanning sequence, useful for debugging or understanding how version detection works.nmap-sV--version-alltarget#Tries every single probe (the most aggressive and comprehensive version scanning) to identify services.nmap-O--osscan-limittarget# Limits OS detection to promising targets (those with at least one open and one closed TCP port).
Xprobe2: is a tool for active OS fingerprinting, which uses various techniques to deduce the operating system of a remote host. It’s less commonly used now but was innovative in combining multiple methodologies for OS detection.
xprobe2192.168.1.1# Initiates an OS fingerprinting scan against the target IP 192.168.1.1.xprobe2-v192.168.1.1# Runs the scan in verbose mode, providing more detailed output about the scanning process and results for 192.168.1.1.xprobe2-ptcp:80:open192.168.1.1# Conducts a scan with the assumption that TCP port 80 is open on the target, which can refine the accuracy of OS detection.xprobe2-t120192.168.1.1# Sets a timeout of 120 seconds for probes, allowing more time for responses, which can be useful for slower or more distant targets.xprobe2-micmp_echo192.168.1.1# Uses the ICMP echo module for probing, which relies on how different OSes respond to ICMP requests.xprobe2-c/path/to/config192.168.1.1# Uses a custom configuration file specified by /path/to/config for the scan, allowing for tailored scanning parameters.xprobe2-n10192.168.1.1# Limits the scan to send only 10 probes, reducing network traffic and potentially making the scan less detectable.xprobe2-oresult.xml192.168.1.1# Outputs the scan results in XML format to result.xml, useful for parsing or further analysis.xprobe2-r1-5192.168.1.1# Limits the scan to use only probe modules numbered from 1 to 5, focusing the scan on a subset of available techniques.xprobe2-Dicmp_echo-Dtcp:80:open192.168.1.1# Combines the ICMP echo and TCP port 80 open modules for a more comprehensive scan against 192.168.1.1.