5 MUST KNOW NMAP FLAGS FOR OS / SERVICE DETECTION

In this tutorial, we are going to cover the 5 important NMAP flags for operating system and service detection on a target machine. This guide is for ethical hacking and security audit purposes only.

You can practice all NMAP commands in this guide by scanning the ports on your computer or use scanme.nmap.org as a target for your scans [it’s safe]. I would highly recommend you stay away from scanning random targets on the Internet.

Remember: unapproved vulnerability and port scanning on the Internet without permission can get you fired, banned by your ISP, or even jailed in some parts of the world [if you’re unlucky].

If you don’t have Nmap installed on your system yet, here is a step-by-step guide for installing Nmap on Windows, macOS, Linux, and FreeBSD. Takes less than 5 minutes.

So open a terminal on you computer, and let’s get to work.

NMAP has the incredible ability to analyze the responses received from a target machine and identify the operating system and services running on it. This is referred to as TCP/IP fingerprinting. NMAP has a range of arguments [flags] available as shown in Table 1.1 below which we will cover in the following sections.

NMAP Flags [OS And Service Detection]NMAP Flag
Operating System Detection-O
Service Version Detection–osscan-guess
Guess Unknown Host-sV
Perform RPC Scan–version-trace
Troubleshooting Version Sans-sR
Table 1.1: NMAP flags for operating systems and service detection.

Operating System Detection With NMAP 

Flag: -O

Syntax: nmap -O [Target]

Description: Instruct NMAP to enable Operating System detection.

The -O command-line flag will instruct NMAP to determine the operating system running on a remote target, as shown in Figure 1.1 below. Operating system detection is accomplished by examining target replies based on OS-specific features.

NMAP flags for Operating System and Services  detection Source: nudesystems.com
Figure 1.1: NMAP flags for operating system detection.

NOTE: At least one open and one closed port needs to be available on the target machine for NMAP operating system detection to work. 

If you are scanning a range of IPs, you can instruct NMAP to filter out only the hosts that match the criteria for OS detection. 

When scanning multiple targets, the –osscan-limit option can be used in conjunction with -O to tell Nmap, not to OS scan hosts that don’t meet these requirements as seen in Figure 1.2 below.

NMAP flags: – osscan-limit for Operating System and Services  detection Source: nudesystems.com
Figure 1.2: NMAP flags for detecting operating system.

But wait, we can push our scan even further.

If we add the -v [verbose] flag to our NMAP command line, we can see additional real-time information about the target we are scanning as seen in Figure 1.3 below.

NMAP flags for Operating System detection [verbose]. Source: nudesystems.com
Figure 1.3: NMAP flags for operating system detection [verbose mode].

Service Version Detection With NMAP

Flag: -sV

Syntax: nmap -sV [Target]

Description: Instruct NMAP to enable Operating System detection.

The Service Version Detection flag -sV instructs NMAP to find the vendor and service version for each open port detected. This method is useful when attempting to identify if a target machine’s services are not up-to-date therefore giving us a clue for identifying potential bugs and vulnerabilities [Figure 1.4]. 

NMAP flags for Service Version detection [verbose]. Source: nudesystems.com
Figure 1.4: NMAP flags for software version detection [multi-host].

By default, NMAP with -sV flag will skip the range of ports between 9100-9107 as these ports are usually used by printers to listen and print any data sent to them. We can use the –allports option to instruct NMAP to include 9100-9107 ports in the scan [Figure 1.5].

NMAP flags for Operating System and Services detection [all ports]. Source: nudesystems.com
Figure 1.5: NMAP flags for software version detection [scan all ports]. 

Guess Unknown Operating System With NMAP

Flag: –osscan-guess

Syntax: nmap –osscan-guess [Target]

Description: Instruct NMAP to force-identify a target.

Sometimes, NMAP is unable to guess 100% of the operating system running on a target machine. By using the –osscan-guess flag we force NMAP to guess the operating system by using percentage probabilities of possible operating systems installed on a target as seen in Figure 1.5 below.

NMAP flags for Operating System and Services detection [--osscan-guess]. Source: nudesystems.com
Figure 1.5: NMAP guess operating system on a target machine [output example].

Perform an RPC Scan With NMAP

Flag: -sR

Syntax: nmap -sR [Target]

Description: Performs a Remote Procedure Call (RPC) on a target machine.

Remote Procedure Call (RPC) is a protocol used by software to request a service located on another system without having to understand the network details in between. RPC is a protocol mostly associated with Network File Systems (NFS) on Linux and UNIX operating systems. 

By using the -sR flag, we can instruct NMAP to obtain information about the RPC services running on a target machine [Figure 1.6].

NMAP flags for RPC detection [NFS service]. Source: nudesystems.com
Figure 1.6: NMAP flags – Remote Procedure Call (RPC) scan.

In Figure 1.6, NMAP obtained information specific to NFS v.3 services respectively the dedicated ports 111 TCP and 2049 TCP

Troubleshooting Version Scans With NMAP

Flag: –version-trace

Syntax: nmap -sV –version-trace [Target]

Description: enables verbose mode during a version-scan activity.

NMAP flags for RPC scan detection [verbose]. Source: nudesystems.com
Figure 1.7: NMAP flags for RPC scan.

The NMAP Troubleshooting Version Scan [Figure 1.7] can be very useful when troubleshooting problems on a target machine as the –version-trace flag can provide useful information [Figure 1.8] especially when the NMAP output is not the one expected.

NMAP flags for Troubleshooting Version Scan – version-trace. Source: nudesystems.com
Figure 1.8: NMAP flags for troubleshooting version scan.

Before You Leave

NMAP is one of the essential tools in your journey to becoming an ethical hacker. I would advise you to read and practice the above commands a few times more.

As you might have seen, I cover the NMAP scanning tools and techniques quite extensively on this website. Here are a few NMAP articles I highly advise you to continue with:

If you found this post useful, consider becoming my patron. Or, if it’s easier for you, buy me a coffee to keep me awake using one of the addresses below. I swear, I’ll drink it all!

Stay safe!

  • Bitcoin
  • Ethereum
  • Monero
Scan to Donate Bitcoin to bc1qytp4akadp5lash9pd6rvnrjlnm8920fza5zchc

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0xB8109313e704a2B0aB1a70d67baB66a2Fd3b590d

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Monero to 47tC9drbgyaerFMu8s9XqsaAuY4K6rgC9UDM3yHhbyWP9pUNwdAH7kEMuDbFMEgiY3JgYgQipwZoWSLSZAsUvkkjQmHLj6r

Donate Monero to this address

Scan the QR code or copy the address below into your wallet to send some Monero