nmap pode detectar / adivinhar informações do sistema operacional do servidor remoto.
OS Detection
One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common Platform Enumeration (CPE) representation, like cpe:/o:linux:kernel:2.6.
Exemplo
[root@liuyan liuyan]# nmap -A -T4 www.kernel.org
Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-07 21:18 CST
Nmap scan report for www.kernel.org (149.20.4.69)
Host is up (0.31s latency).
Other addresses for www.kernel.org (not scanned): 149.20.20.133
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwx--- 2 536 528 4096 May 21 2001 for_mirrors_only
| drwxr-xr-x 11 536 536 4096 Dec 01 2011 pub
|_lrwxrwxrwx 1 0 0 10 Apr 21 2007 welcome.msg -> pub/README
22/tcp open ssh OpenSSH 5.8 (protocol 2.0)
| ssh-hostkey: 1024 01:6f:7b:00:d2:78:e7:68:ef:68:e0:5e:c7:ee:42:28 (DSA)
|_2048 d4:2a:5b:81:00:a9:e9:b2:75:8c:af:40:ee:a0:1b:8e (RSA)
80/tcp open http Apache httpd 2.2.22 ((Fedora))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open ssl/http Apache httpd 2.2.22 ((Fedora))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
| http-robots.txt: 16 disallowed entries (15 shown)
| /cgi-bin/ /pub/mirrors/ /pub/scm/
| /mirrors/process-registration.cgi /lsb/ /linuxeda/ /os.org/ /debian/ /debian-cd/ /lanana/
|_/li18nux/ /freestandards/ /filehub/ /diff/ /git/
| ssl-cert: Subject: commonName=*.kernel.org/organizationName=The Linux Kernel Organization/stateOrProvinceName=California/countryName=US
| Not valid before: 2012-01-03 00:00:00
|_Not valid after: 2014-04-03 23:59:59
|_http-title: The Linux Kernel Archives
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
873/tcp open rsync (protocol version 30)
4444/tcp filtered krb524
Device type: general purpose|storage-misc|WAP|media device|webcam
Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (92%), HP embedded (89%), Netgear embedded (87%), Western Digital embedded (87%), Linksys Linux 2.4.X (86%), AXIS Linux 2.6.X (85%), Asus Linux 2.6.X (85%)
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 cpe:/o:linux:kernel:2.6.22 cpe:/o:linksys:linux:2.4 cpe:/o:linux:kernel:2.4 cpe:/o:axis:linux:2.6 cpe:/h:asus:rt-n16 cpe:/o:asus:linux:2.6
Aggressive OS guesses: Linux 2.6.32 (92%), Linux 2.6.32 - 2.6.38 (90%), HP P2000 G3 NAS device (89%), Linux 2.6.22 - 2.6.36 (87%), Linux 2.6.23 - 2.6.38 (87%), Linux 2.6.31 - 2.6.35 (87%), Linux 3.0 (87%), Linux 2.6.32 - 2.6.39 (87%), Linux 2.6.39 (87%), Netgear DG834G WAP or Western Digital WD TV media player (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 17 hops
Service Info: OS: Unix
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
- Hops 1-6 are the same as for 69.59.197.21
7 ... 8
9 35.89 ms 69.0.112.112.broad.km.yn.dynamic.163data.com.cn (112.112.0.69)
10 13.22 ms 210.78.7.66
11 10.99 ms 218.105.1.42
12 19.59 ms 210.52.132.230
13 166.83 ms 217.6.49.181
14 286.39 ms 202.97.50.102
15 301.44 ms 80.156.160.90
16 ...
17 328.42 ms pub2.kernel.org (149.20.4.69)