Operating System and Service Discovery Technical Guide
1. Operating system fingerprint recognition technology
Methods for remotely determining the operating system of a target computer can generally be divided into two categories
Passive method : do not send any data packets to the target system, but use various packet capture tools to collect data packets flowing through the network, and then obtain the operating system information of the target computer from these packets
Active method : refers to the client actively sending information to the remote host. The remote host generally responds to the information and replies with some information. The sender may know the operating system type of the remote host by analyzing the returned information.
Nmap does not use a reactive approach. Proactive approach in Nmap employs OS fingerprinting packages with up to 15 probes
The part of Nmap that makes adjustments to packets includes窗口大小、窗口字段、分片标识、时间戳、序号以及其他一些细节,例如TTL等
-OScanning of the target operating system can be done simply using the options:
Nmap -F -O <ip address>
2. Service discovery technology
Nmap provides more accurate service and version detection options, which can -sVbe detected by adding options
Nmap-service-probesThe database contains matching expressions for querying probe messages of different services and parsing and identifying responses. The version detection program will compare the detection results with Nmap-service-probesthe contents in the database, and if it matches one of them successfully, it can confirm the specific service running on the target port