News, ethical hacking, cyber crime, network security

Port scanning or OS fingerprinting

Port scanning or OS fingerprinting. Believe it or not!

The fact is pretty obvious that footprinting is essential to any successful attack. By and large, 70% of any attack should be spent gathering precise footprinting. In doing so, an attacker presumably knows operating system, open ports and any services running on those open ports as well as any vulnerable applications installed.
Certainly, all of this information will be paramount in order to determine the selection of tools and technologies.

There are two different types of footprinting or reconnaissance: active or passive. Each one has pros and cons.

Here let us walk through active footprinting which we interact directly with a target. Active type is more accurate and faster than the passive one. However, it involves more risk of detection and sometimes could get caught unless an attacker has permission in written form.

One of the first steps in any active footprinting is to reduce a set of IP ranges into a targeted and active host.

To achieve this, it does require performing port scanning or Operation system fingerprinting. There are numerous types of port scanners to name. But we will discuss a popular open-source tool called Nmap.

Nmap is a free and open source tool for network discovery and security auditing. It comes with either command line or GUI version. Nmap runs on all major operating systems such as Windows, Linux, and Mac OS X.
Before we start port scanning, we need to understand the TCP three-way Handshake.

TCP three-way Handshake

As a diagram is shown above, the host attempting a connection sends a destination host a packet with a SYN flag. Then, the remote host would check that the proper authorizations are in place for this connection to be made. If all the requirements are met, then the remote host sends the first host a packet with the SYN and ACK flags. Finally, the first host sends a single ACK flag back to the second host, completing the handshake and establishing the connection.

Basic Nmap Scanning

First, we will do basic ping scan which simply pings every IP in a range of IPs and reports any hosts that respond.
As seen below, we scan a range of IP that it will diagnose every IP from to So we can see there is a list of hosts on a network.

Based on the scan result below, we have three hosts are up running currently. (, &

OS Discovery
Next, we will identify what operating system OS the particular host running.

According to the above screenshot, we clearly see the detail information of operating system for two particular hosts.

Comphrensive Nmap Scanning

There is not only very basic scanning with Nmap but also comprehensive investigation like open or close ports and services as well as its version.

Let us examine any open ports, services, and its version.
The Nmap command with -sV option actively probe open ports to determine what service and version they are running.

When performing a version scan (-sV), Nmap sends a series of probes, each of which is assigned a rarity value between one and nine. If we look up the scanning result against, we have seen all open ports, type of services running on those ports and its version precisely.

Here is another scanning result for another host Sometimes, the open ports could ensure us the type of operating system as another alternative guess.

Port scanning or OS fingerprinting
Port scanning or OS fingerprinting

Please remember that proper footprinting is a very important fundamental for any successful attack.
There are many tools for port scanning or OS fingerprinting other than Nmap. However, Nmap always stays ahead of the rest.

Get real time updates directly on you device, subscribe now.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy