Technical (Bottom-Up) Methodology 127
ports that respond (see Exhibit 33). For example, TCP ports 137, 138, and 139
correspond to the Microsoft network access. While some Linux systems will
respond on these ports, it is generally the domain of only Microsoft machines.
The other way in which the tools can fingerprint the OS is through TCP
sequence prediction. Inside TCP communications, a sequence number is used
on the packets to help keep the information flow moving smoothly and in
the correct order. However, certain OSs respond to TCP communication with
an easy-to-predict TCP sequence number, and through the sequence number
increment the tools can make a good guess at the OS.
Nmap for Linux
URL: http://www.insecure.org
Price: Free
OS: NT or Linux
Vendor’s comments: Nmap is a utility for network exploration or security
auditing. It supports ping scanning (determine which hosts are up),
many port scanning techniques (determine what services the hosts are
offering), and TCP/IP fingerprinting (remote host operating system
identification). Nmap also offers flexible target and port specification,
decoy or stealth scanning, sunRPC scanning, and more.
Opinion: Nmap is probably the most commonly used tool in network
vulnerability assessments due to the feature richness of the product
and its lack of cost.
Exhibit 33. The Vulnerability Assessment Model: OS Fingerprint Layer
Zero--Information-Based (ZIB) Tools
Network Enumeration Tools
OS Fingerprinting Tools
Number of Hosts
Length of Time
Information In: Active hosts
Information Out: Operating system on the active hosts