What is OS fingerprinting?

OS fingerprinting is the process of differentiating the OS used by a host in a network. There can be different implementations in determining this like obtaining the TCP/IP stack (TTL value defaults), HTTP packets (via User-Agent field), via ICMP requests, open port patterns, TCP window size and more.

There are two types of tools used - active fingerprinters and passive fingerprinters.

Operating System (OS) fingerprinting using the Nmap active fingerprinter

Via conducting an nmap scan using the -O parameter, one can conduct OS fingerprinting through inspecting the packets received from the target. More details about nmap here.

Example command:

nmap -Pn -O IP_ADDRESS

The -Pn has been added since I know that the target is up but it may be blocking the ping probe.

An example output is below of conducting an OS fingerprint exercise:


Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-10 17:03 EST
Nmap scan report for MYSITE.COM (IP_ADDRESS_HERE)
Host is up (0.0020s latency).

All 1000 scanned ports on MYSITE.COM (IP_ADDRESS_HERE) are filtered

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: WAP|general purpose|specialized



OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 253.29 seconds

Also note that by default, nmap scans 1000 ports which is mentioned in the report above.

Passive fingerprinters

See this article from netresec on passive OS fingerprinting.

Your mileage may vary. This content is constantly under development and may change at any time.