nmap里面可以根据FIN探查,无效标志探查,ISN采样,DF标志位监控,TCP初始化窗口大小,ACK的值,ICMP出错消息,ICMP消息内容,TOS字段,数据包拆分处理和一些其他的TCP选项来大概猜测远程OS的类型。
直接
[bash]
sudo nmap -O www.domain.com -D 8.8.8.8
[/bash]
就能对相应的主机进行扫描,-D是伪装IP 源。
[bash]
www.ebay.com
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-20 19:02 CST
Nmap scan report for www.ebay.com (66.211.181.181)
Host is up (0.56s latency).
Other addresses for www.ebay.com (not scanned): 66.211.181.161 66.135.210.181 66.135.210.61 66.135.200.181 66.135.200.161
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
Device type: load balancer
Running (JUST GUESSING): Citrix embedded (85%)
Aggressive OS guesses: Citrix NetScaler load balancer (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.61 seconds
www.google.com
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-20 19:03 CST
Nmap scan report for www.google.com (74.125.128.147)
Host is up (0.049s latency).
Other addresses for www.google.com (not scanned): 74.125.128.106 74.125.128.105 74.125.128.104 74.125.128.103 74.125.128.99
rDNS record for 74.125.128.147: hg-in-f147.1e100.net
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): OpenBSD 4.X (85%)
OS CPE: cpe:/o:openbsd:openbsd:4.3
Aggressive OS guesses: OpenBSD 4.3 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.11 seconds
www.bing.com
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-20 19:03 CST
Nmap scan report for www.bing.com (63.150.12.75)
Host is up (0.22s latency).
Other addresses for www.bing.com (not scanned): 63.150.12.33
rDNS record for 63.150.12.75: 63-150-12-75.dia.static.qwest.net
Not shown: 996 filtered ports
PORT STATE SERVICE
53/tcp closed domain
80/tcp open http
443/tcp open https
8000/tcp closed http-alt
Device type: WAP|media device|webcam|general purpose|PBX
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Asus Linux 2.6.X (94%), Linksys Linux 2.4.X (93%), Netgear embedded (92%), Western Digital embedded (92%), AXIS Linux 2.6.X (92%), Cisco Linux 2.6.X (91%)
OS CPE: cpe:/o:linux:kernel:2.6.22 cpe:/h:asus:rt-n16 cpe:/o:asus:linux:2.6 cpe:/o:linksys:linux:2.4 cpe:/o:linux:kernel:2.4 cpe:/o:axis:linux:2.6 cpe:/o:linux:kernel:2.6 cpe:/o:cisco:linux:2.6
Aggressive OS guesses: Tomato 1.28 (Linux 2.6.22) (95%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (95%), Asus RT-N16 WAP (Linux 2.6) (94%), OpenWrt White Russian 0.9 (Linux 2.4.30) (93%), OpenWrt 0.9 – 7.09 (Linux 2.4.30 – 2.4.34) (93%), Linux 2.6.15 (likely TP-Link WAP) (93%), Netgear DG834G WAP or Western Digital WD TV media player (92%), AXIS 211A Network Camera (Linux 2.6.20) (92%), Linux 2.6.15 – 2.6.24 (embedded) (91%), Linux 2.6.22 – 2.6.36 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.27 seconds
[/bash]
当然,如果想扫描一下开的端口啥的直接-sS扫描吧,也可以选ACK扫描,那就-sA
pm@debian:~sudo nmap -sS www.baidu.com
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-20 19:06 CST
^Cpm@debian:~$ sudo nmap -sS www.google.com
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-20 19:06 CST
Nmap scan report for www.google.com (74.125.128.147)
Host is up (0.074s latency).
Other addresses for www.google.com (not scanned): 74.125.128.106 74.125.128.105 74.125.128.104 74.125.128.103 74.125.128.99
rDNS record for 74.125.128.147: hg-in-f147.1e100.net
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 9.72 seconds