nmap里面可以根据FIN探查,无效标志探查,ISN采样,DF标志位监控,TCP初始化窗口大小,ACK的值,ICMP出错消息,ICMP消息内容,TOS字段,数据包拆分处理和一些其他的TCP选项来大概猜测远程OS的类型。直接bash sudo nmap -O www.domain.com -D 8.8.8.8 就能对相应的主机进行扫描,-D是伪装IP 源。```bash
www.ebay.com
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-20 19:02 CSTNmap scan report for www.ebay.com (66.211.181.181)Host is up (0.56s latency).Other addresses for www.ebay.com (not scanned): 66.211.181.161 66.135.210.181 66.135.210.61 66.135.200.181 66.135.200.161Not shown: 998 filtered portsPORT STATE SERVICE80/tcp open http443/tcp closed httpsDevice type: load balancerRunning (JUST GUESSING): Citrix embedded (85%)Aggressive OS guesses: Citrix NetScaler load balancer (85%)No exact OS matches for host (test conditions non-ideal).
当然,如果想扫描一下开的端口啥的直接-sS扫描吧,也可以选ACK扫描,那就-sA
pm@debian:~sudo nmap -sS www.baidu.com
```bash
Starting Nmap 6.00 ( http://nmap.org ) at 2012-10-20 19:06 CST^Cpm@debian:~$ sudo nmap -sS www.google.com