# How to find out what OS a machine is running?

## airwalker

Hi!

I wonder if someone know how it's possible to find out what kind of OS a given host is running, like the netcraft.com service? What commands (Linux) should I use to achieve the same?  :Smile: 

----------

## kashani

emerge nmap

su to root

nmap -O -v -F host.ip.add.ress

kashani

----------

## Krigare

 *kashani wrote:*   

> emerge nmap
> 
> su to root
> 
> nmap -O -v -F host.ip.add.ress
> ...

 

For those people that isn't reading the nmap list:

This is illegal in some countries, for example, Finland!

Portscanning, that is.

----------

## steveb

you could use netcat to get the http head of the webserver. for example www.gentoo.org:

```
root # echo -e "HEAD http://www.gentoo.org HTTP/1.0\n\n" | nc www.gentoo.org 80 | grep -i ^Server:

Server: Apache/1.3.29 (Unix)  (Gentoo/Linux) mod_gzip/1.3.26.1a AxKit/1.61 mod_perl/1.27

root # 
```

or if you want to check more at once, then something like this:

```
root # for foo in www.ibm.com www.oracle.com www.microsoft.com www.gentoo.org ; do echo ${foo}: ; echo -e "HEAD http://${foo} HTTP/1.0\n\n" | nc ${foo} 80 | grep -i ^Server: ; echo ; done

www.ibm.com:

Server: IBM_HTTP_SERVER/1.3.26  Apache/1.3.26 (Unix)

www.oracle.com:

Server: Oracle9iAS/9.0.4 Oracle HTTP Server OracleAS-Web-Cache-10g/9.0.4.0.0 (N)

www.microsoft.com:

Server: Microsoft-IIS/6.0

www.gentoo.org:

Server: Apache/1.3.29 (Unix)  (Gentoo/Linux) mod_gzip/1.3.26.1a AxKit/1.61 mod_perl/1.27

root # 
```

or you can use nmap to try to guess the os fingerprint:

```
root # nmap -O -P0 www.symlink.ch   

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-01-22 19:43 UTC

Interesting ports on wigwam1.ethz.ch (129.132.189.110):

(The 1619 ports scanned but not shown below are in state: closed)

PORT      STATE    SERVICE

13/tcp    open     daytime

21/tcp    open     ftp

22/tcp    open     ssh

23/tcp    open     telnet

25/tcp    filtered smtp

37/tcp    open     time

80/tcp    open     http

109/tcp   open     pop-2

110/tcp   open     pop-3

111/tcp   filtered rpcbind

113/tcp   open     auth

135/tcp   filtered msrpc

137/tcp   filtered netbios-ns

138/tcp   filtered netbios-dgm

139/tcp   filtered netbios-ssn

143/tcp   open     imap

199/tcp   open     smux

443/tcp   open     https

445/tcp   filtered microsoft-ds

512/tcp   open     exec

515/tcp   filtered printer

540/tcp   open     uucp

587/tcp   open     submission

993/tcp   open     imaps

995/tcp   open     pop3s

1433/tcp  filtered ms-sql-s

1434/tcp  filtered ms-sql-m

1984/tcp  open     bigbrother

2401/tcp  open     cvspserver

3306/tcp  open     mysql

5001/tcp  open     commplex-link

5432/tcp  open     postgres

5999/tcp  open     ncd-conf

8000/tcp  open     http-alt

8081/tcp  open     blackice-icecap

13722/tcp open     VeritasNetbackup

13782/tcp open     VeritasNetbackup

13783/tcp open     VeritasNetbackup

Device type: general purpose

Running: Linux 2.4.X|2.5.X

OS details: Linux Kernel 2.4.0 - 2.5.20

Uptime 17.211 days (since Mon Jan  5 14:42:01 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 98.187 seconds

root # 
```

cheers

SteveB

----------

## amne

As already stated, using nmap might be illegal in some countries. Even if not, portscanning is considered to be annoying be some administrators, who might catch your scan and complain to your provider. Your Provider might have some passage in your contract, that forbids such a thing. Of course you can minimize the risk by being less annoying. The less ports you scan, the lower is the chance of getting a complaint. Nmap needs one open and one closed port on the machine, so if it is running a webserver, 

```
nmap -O -p 80-81 hostname
```

 should give a useful result (assuming port 81 is closed) by connectiong to only 2 ports.

----------

## casper

you can also try to telnet on 25. If the computer is running a mail server then it will probably tell you what program it is and what OS.

----------

## masseya

 *amne wrote:*   

> As already stated, using nmap might be illegal in some countries.

 If it isn't illegal in the country where you live, it could be against the policies of the place that you work for or go to school.  I would be sure to check this out before using this type of tool.

----------

## airwalker

Thanks for your guidance!  :Smile: 

Cheers!

AW

----------

## shadow255

Not to beat a dead horse here, but I'd like to add that there is something that goes beyond law when it comes to port scanning: it is unethical to perform port scans of systems without prior permission.  Consider the act of performing a port scan akin to walking up to a house and rattling all the doorknobs to see if they're unlocked, and you'll see why this is frowned upon.

----------

## julot

Come On!

The security based on Lawyers in extremely slow on internet!.

I know that in some countries even listening to loud music is forbidden!.

But, in My 512k-DSL in an average mean, 3 or 4 portscannings are incoming in a day basis.  In my scan response to find out who the heck those punks are,  I find that 1% are  traced in my country. 

So, emerge portsentry, start protecting yourself and welcome to the new millennium.

And maybe you and your friends start nmapping each other, 

I believe that to prevent is better than one day discover your apache sending tons of spam, or FBI cracking your door because you are running a children-porno site that you obviously did not installed.

 :Rolling Eyes: 

----------

## masseya

 *julot wrote:*   

> Come On!
> 
> The security based on Lawyers in extremely slow on internet!.
> 
> I know that in some countries even listening to loud music is forbidden!.

 I'm not suggesting that no one breaks the law in this area.  I'm merely saying these forums will not contribute to this problem, so don't discuss this topic in that vein.  More importantly, go and find out for yourself what is and isn't legal in the area that you live.

----------

## Ateo

 *masseya wrote:*   

>  *amne wrote:*   As already stated, using nmap might be illegal in some countries. If it isn't illegal in the country where you live, it could be against the policies of the place that you work for or go to school.  I would be sure to check this out before using this type of tool.

 

On top of this, in countries where port scanning is not illegal, some ISPs also have policies against this. Make sure you check with your ISP for their policies concerning scanning other IPs.

I might also add that a windows 2k server running ONLY a shoutcast server is more exploitable than a gentoo server running every server known to man.   :Wink: 

----------

## drspewfy

steven thats pretty cool heh, but is the banners are hiden ??

like my server, i dont have any banners,, and when somebody try to guess the os in nmap

cuz the banners and grsecurity is set it up, i intruder cant know my os,, just they know that is linux, not more, The Distribution or the Demons, they dont know..

what do u think another way to know the os ??

that scripts that u use, are cool when the banners are on...

----------

## josh

I don't know much about this,but I want to look into it; In the kernel, I see there's an option that you can set that says it will mirror pings, so, in effect, someone would end up portmapping themselves and not know it. just thought that was interesting.

----------

## julot

 *Quote:*   

> 
> 
> I might also add that a windows 2k server running ONLY a shoutcast server is more exploitable than a gentoo server running every server known to man.
> 
> 

 

This is not completely certain, I know that in Micro$uck studies the average linux user is mostly more skilled than their windows counterpart.

Linux is Freeing the minds (Morpheus pun intended,   :Laughing:  ).

But many newbies must know that linux alone is not secure in any mean, if you do not use "at least" the 4 things.

- Use a firewall well configured for hacker sake.

- Run only your needed daemons, and do not emerge for emerging itself.

- Use a portscanning discover tool, (there are many "egoïst gens" out there).

- Do not use ROOT, is like using the Porcelain dishes to feed the dog!.

I must concede that in the future the things would not be kind.

When IPV6 is fully deployed, Millions of pleople can do portscanning of Refigerators, Cell Phones, And god knows what.

So, Linux has a strategic importance in the futurable scenario mentioned.

(To firewall my dishwasher, I hate wash the dishes at hand).

 :Wink: 

----------

## julot

 *Quote:*   

> More importantly, go and find out for yourself what is and isn't legal in the area that you live.

 

In the past I wrote to Free Mail providers (Like Hotmail or Novell), to report email abuse. (Strange but true, when I reported a email abuse so terrible that I could not stand doing nothing, ¨"By magic" I do not receive spam in Hotmail!).   Mhhhh Black hand?.  I miss the 80 spam mails per day basis. (are you single?,  Enlarge P..., Do you need V14gr4).

If we do not take civil liberties (And abuses), with responsability, the goverments will take measures that affect the liberties of all the world.

(V. GR. Patriot Act, Echelon, Laws in Europe, etc).

so if one of the 4 portscanning quoted I report the facts to the ISP; maybe if we all do, we can make a change.

When I look to the apache logs, it scare me the typical MS-Crap attack

[/code]

81.250.219.150 - - [24/Jan/2004:04:09:17 -0600] "GET /scripts/..%c0%af../winnt/s

ystem32/cmd.exe?/c+dir+c:\\ HTTP/1.1" 404 318 "-" "-"

81.250.219.150 - - [24/Jan/2004:04:09:18 -0600] "GET /scripts/.%252e/.%252e/winn

t/system32/cmd.exe?/c+dir+c:\\ HTTP/1.1" 404 321 "-" "-"

```

So maybe we can start to protect ourselves by polling "This ISP is unsecure, That ISP protect Dookie users and so".

And not to wait to the goverment react, So to be honest, Today they did not know who was the Blaster writer, And with this level of accuracy We must do something.

```

----------

## Morty500

Personally I haven't got a clue when it comes to portscanning. Ethically and morally though it's a grey area. I suppose portscanning could be useful to discover any vunerabilities in a system. My mates do it frequently - port scan someone's computer (with permission of course) then send them an email to inform them which ports need closing.

On the other side if your a mallicious little weasel (and I have found a few before) that loves to screw up people's PC's, use it for file storage and the like then yeah, it should be illegal to do that cos at the end of the day a security concious person won't store anything of value on a computer system so your just hacking the system to be a pain in the butt. 

At the end of the day portscanning is a tool - it's who uses it that determines if it's a good thing or bad thing same could be said about a lot of software and stuff. Take guns for example (off topic I know but it's a metaphor) a gun can be used to hunt for food, or kill a person -it's who pulls the trigger that decides.

----------

