Nmap Enumeration - Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer

Hey Guys,
I’m a complete newbie, so sorry in advanced if the answers seems to obvious, but I could need a hint into the right direction. Currently I am working on the NETWORK ENUMERATION WITH NMAP module, and I’m stuck literally on the first module.

The Question is: “Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.”

I tried several commands for example like:
sudo nmap 10.129.2.80 -p 10001 -O -D RND:5 --disable-arp-ping -Pn -e tun0

as the Answer I got Linux, but if I type it into the answer field, I just get an Error (I tried every port and also the -S but this also does not bring me very far)

Already saying thanks in advanced for everyone taking his time to read and answer this :slight_smile:

1 Like

Okay I just found out where my mistake was, for others having problems on this:
search for the services on the ports

2 Likes

hi bro im still stuck on this lab any hint? thx in advance

Could you please explain little more ?

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.

This got me confused because I was more concerned about the NMAP scanning techniques and how to check if a target is alive or not.

So funny we as attackers work on our virtual machines while our targets work on either their Linux, Windows, and other OS

hahaha hahaha… Just crack this and answer the question
Good Luck!

1 Like

if you have finish looking up for ports just try to access the port with different services to login. you will definitely be on the place.

try to find the version of each service

My Answer is Ubuntu
sudo nmap ip -S -A
under:
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)

most of operating system has different time to live, base on the previous result the ttl is 128 ( ```
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]): ttl=128 most the case is windows

5 Likes

Hi. My solution involved looking at the open ports of my target system. Then look at the --help info to see what you can add to the nmap command to scan for the OS.

This comman does not work?

god i know the ans , we cant use -O it just return us Linux,not the right one, we should use -sV or -A

In my case, the host was down. Had to rely on ttl from the previous scan

you don’t need to run any command its all about TTL :wink:

1 Like

Guys i have tried everything from sV to A to TTL to connecting to ports.
My answer still wrong PLS I need another hint

1 Like

I did, and still got the wrong answer idk what am i doing wrong

Hi. I suggest you see the section common protocols of the Introduction to Networking module (which I think is Tier0/free). I don’t know the rules exactly, but if you don’t have boxes to spare (even though is a great module that you even read from your phone), reply again and I will reply with the common ttl for the OS. Probably if you searched in google you have seen the wrong OS for the ttl

They have already gave the method and even the answer here.

1 Like

as the comment before me said , the past comment section has the method and answer but I will still try to simplify ,

but first you could literally spam each commonly known OS and still get the answer right , without help.

The intentioned approach though I think - using this hint

We have already mentioned in the “Learning Process,” and at the beginning of this module, it is essential to pay attention to details. An ICMP echo request can help us determine if our target is alive and identify its system. More strategies about host discovery can be found at:
Putting It All Together: Host Discovery Strategies | Nmap Network Scanning

you could reach the conclusion that something lies inside those requests , the SNT one is from your device which we don’t need cause why would we care or look for the OS of our device , the other request; the RCVD comes from the target OS which we want to discover therefore something in the request is the clue and the TTL comes in mind for many reasons , one is that it is brought up in the link above , second that the networking module in the Information security fundamentals brought it up , thirdly , 128 is a super clean number 2^7 not a random one which begs the question if it is some sort of default configuration or something , which it is indeed .

TL;DR just google “ttl for each OS”

On the base of TTL,
Linux/Mac: The default TTL value is typically, 64
Windows: The default TTL value is usually 128,

So the answer is windows.