An analogy to explain OS detection by NMAP

When you use NMAP to scan machines, there is an option to try and detect the OS of the target machine. How does it work? Here’s a helpful analogy.

Imagine you are playing with two mammals, a chimpanzee, and an orangutan. You are conducting this experiment in a double-blind format. You throw a ball towards each. The balls are of the same make. They both throw the balls back. If we examine these balls, they have fingerprints on them. These fingerprints can help identify which animal thew the ball back.

You see, it doesn’t depend on the information you send. It depends on what information the target machine sends back. NMAP sends a ping to the target machine with the intention of identification. The target machine responds by sending a ping back to NMAP. Now, every OS crafts ICMP ping packets very differently. The construction of these packets can help identify the target OS. NMAP has a database of a lot of operating system responses. NMAP uses this database to support the identification process.

Some operating systems have a similar make. Take, for example, Debian and Ubuntu. At their core, both these operating systems are Linux. Therefore NMAP can confuse them for each other.

Another interesting point to note here is that an OS evolves and changes. While Windows 10 1903 and 10 2004 are very similar in how they handle networks, they return different fingerprints.

In the end, NMAP proves to be very useful in helping identify operating systems.