1 00:00:00,090 --> 00:00:07,560 So One of Nmap's best-­known features is remote OS detection using TCP/IP stack fingerprinting. 2 00:00:07,560 --> 00:00:15,180 . Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in 3 00:00:15,180 --> 00:00:16,050 the response. 4 00:00:17,370 --> 00:00:24,930 After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID 5 00:00:24,950 --> 00:00:32,640 sampling, and the initial window size check, Nmap compares the results to its nmap-­os-­db database 6 00:00:32,970 --> 00:00:38,230 of more than 2,600 known OS fingerprints and prints out the OS details 7 00:00:38,250 --> 00:00:45,870 If there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification 8 00:00:46,050 --> 00:00:54,740 which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation 9 00:00:54,750 --> 00:01:03,220 (e.g. 10), and device type (general purpose, router, switch, game console, etc.).OS detection is far more effective 10 00:01:03,510 --> 00:01:08,080 if at least one open and one closed TCP port are found. 11 00:01:09,290 --> 00:01:15,800 Let’s see the OS detection in action: We have to use OS detection with one of the port detection 12 00:01:15,800 --> 00:01:17,010 techniques. 13 00:01:17,120 --> 00:01:20,790 So I use SYN scan in this demo. 14 00:01:20,880 --> 00:01:28,800 The target system is Metasploitable. Let’s choose top 100 ports to make the query faster. Or, do not 15 00:01:28,800 --> 00:01:30,780 give any port, let the Nmap scan 16 00:01:30,780 --> 00:01:42,350 top 1000 ports. That won’t take long. Put uppercase 0 for OS detection and hit enter. 17 00:01:42,570 --> 00:01:45,770 Here is the result of OS detection: 18 00:01:45,820 --> 00:01:53,350 It’s a general purpose device, and running a Linux with the version between 2.6.9 and 2.6.33 19 00:01:54,600 --> 00:01:58,920 If you would like Nmap to be more aggressive to have a more accurate result, 20 00:01:58,920 --> 00:02:05,460 you can use -­osscan -­guess parameter with -­O OS detection parameter. 21 00:02:07,700 --> 00:02:13,250 Now let's scan a Windows system and try to find out the version of the OS. 22 00:02:13,260 --> 00:02:15,800 So here I have a Windows 8 virtual machine. 23 00:02:16,380 --> 00:02:20,760 I want to learn its IP address for the command prompt, 24 00:02:20,760 --> 00:02:27,040 type “ipconfig” and hit enter. 25 00:02:27,090 --> 00:02:32,600 Now let’s go to Kali and test if we can reach the Windows system. First 26 00:02:32,680 --> 00:02:34,420 Ping the system. 27 00:02:34,420 --> 00:02:41,850 Now the system is not responding to the ping requests or we cannot reach the system so second I perform 28 00:02:41,850 --> 00:02:44,010 N mapping scan. 29 00:02:44,010 --> 00:02:45,690 We know how to do it right. 30 00:02:45,690 --> 00:02:58,020 type “nmap -­sn 172.16.99.171” and hit enter. Yes, Nmap says the host is up 31 00:02:58,350 --> 00:03:00,370 So we are able to reach this system. 32 00:03:00,420 --> 00:03:10,020 Now I want to scan the top 10 TCAP ports of this system. 33 00:03:10,060 --> 00:03:18,950 I add the -­-­reason parameter to see the reasons of the results. a• All the ports we scanned are filtered, because 34 00:03:19,100 --> 00:03:21,380 there are no responses from them. 35 00:03:21,560 --> 00:03:23,840 It's not good for us. 36 00:03:23,880 --> 00:03:27,450 I add the OS detection to the latest Nmap query and re-run it. 37 00:03:30,560 --> 00:03:38,780 No, Nmap cannot find the OS details, because it does not have a result set to probe or interrogate. 38 00:03:38,830 --> 00:03:46,940 I would like to open a port on the Windows system and reply the Nmap scans. In Windows 8 VM, I run the IIS 39 00:03:47,540 --> 00:03:49,640 Internet Information Services Manager 40 00:03:53,240 --> 00:04:01,490 and start to host the default website of IIS. Open a web browser and try to reach the website typing the 41 00:04:01,490 --> 00:04:04,810 the IP address of the system into the address bar. 42 00:04:04,840 --> 00:04:05,260 OK. 43 00:04:05,260 --> 00:04:06,950 Web service is up. 44 00:04:07,040 --> 00:04:10,720 Let’s test if I can reach the website from Kali 45 00:04:10,720 --> 00:04:19,140 I go to Kali, open a browser, enter the IP address of the Windows 8 VM and hit enter. 46 00:04:19,180 --> 00:04:20,180 No I cannot. 47 00:04:20,500 --> 00:04:24,510 And I think I know the reason in Windows VM. 48 00:04:24,520 --> 00:04:26,050 Let's look at the firewall, 49 00:04:26,110 --> 00:04:36,250 if HTTP traffic is allowed. I open the firewall. At the upper left corner, I click the “Allow an app or feature 50 00:04:36,310 --> 00:04:44,260 through Windows Firewall” link. Click ”Change Settings” which needs to have admin privileges. 51 00:04:45,190 --> 00:04:51,370 Go to the end of the list. As I thought, HTTP services are not allowed. 52 00:04:51,370 --> 00:04:54,080 Check it, and click OK to apply the changes. 53 00:04:55,270 --> 00:04:58,070 In command prompt, to see the port 80, 54 00:04:58,240 --> 00:05:00,420 I run “netstat -­an” command. 55 00:05:05,930 --> 00:05:07,560 When I come back to Kali, 56 00:05:07,940 --> 00:05:10,460 I see that the page is loaded in the browser. 57 00:05:10,460 --> 00:05:17,370 That means, Kali can reach the port 80 of my Windows 8 VM. Now, in terminal screen, 58 00:05:17,420 --> 00:05:25,110 I want to run SYN scan for the Windows system’s top 10 ports. Here we have an open port now. Let`s 59 00:05:25,260 --> 00:05:32,200 reply the scan with OS detection option. 60 00:05:32,220 --> 00:05:38,400 Now we have the OS detection result. First, Nmap warns us about the results. 61 00:05:38,400 --> 00:05:44,290 It says the results may be unreliable because it couldn’t find a closed port to probe. 62 00:05:44,530 --> 00:05:46,380 Anyway, Nmap makes its best, and 63 00:05:46,500 --> 00:05:50,640 here it says the operating system is one of them: 64 00:05:50,960 --> 00:05:57,300 Windows 2008, Windows 8.1, Windows 7, Windows Phone, or Windows Vista. 65 00:05:57,300 --> 00:05:57,830 Good job.