Nmap is able to conduct operating system fingerprinting by sending a series of legitimate and malformed TCP and UDP ports to a target and analysing the responses. These are then compared to a database of fingerprints to identify a match. If an exact match is identified, nmap will display the operating system in use. If an exact match is not possible, nmap will provide a confidence level for the operating system it believes the host may be running. Should this occur, it is best to focus on a broad approach to OS identification, e.g. if nmap is 90% sure the target is a Windows 2016 server and 75% sure it is a Windows 2008 SP2 server, it is highly likely that the target is running Windows.

Sometimes it can be beneficial to consider overarching operating system types if specific version cannot be confirmed.

The syntax to trigger Operating System fingerprinting is:

nmap -sT -O <IP address>

Once again the scan type is not important, as long as nmap can identify at least one open and one closed port it can test for the OS

It is also possible to use the -A flag to achieve OS fingerprinting. -A is the “aggressive” flag and will attempt to enumerate as much information as it can. One area of which is OS fingerprinting

‍