How Nmap identifies the Operating Systems?

3 min readAug 5, 2020

Hey guys,

Welcome back.

Have you ever wondered how portscanners like Nmap exactly identify the target Operating Systems. If you say TCP/IP Stack fingerprinting, yeah you are right. There are some techniques to do that.

If you are curious to know, read on.


Stack fingerprinting is a series of techniques that are used to determine the operating system running on a target host by examining characteristics of the TCP/IP stack implementation.

The following are some techniques used to identify the OS based on the TCP/IP stack.

FIN Port Probes
Some Operating System implementations produce a fingerprinting “signature” in response to a FIN Port probe. Using the signature, we may identify the Operating System.

ACK Value Sampling
Certain Operating systems can be identified by the Sequence number they set in the ACK field in a TCP Packet. By sending a “SYN, FIN, URG, PSH” to a port and sampling the ACK and Initial Sequence Number(ISN) fields we can identify an Operating System.

Bogus Flag Probes
If we set a bogus flag in the header of a TCP packet, some operating systems respond with a packet with the same bogus flag that we set. (Ex. Some Linux Operating Systems)

TCP Option Handling
All TCP options are not implemented in TCP/IP stack implementations. If we send a packet with new options in the header, it provides a set of characteristics through which we can identify the operating system. Window Scale, Max Segment Size, Timestamp options can be used for this purpose.

ISN Sampling
It is done to identify a pattern in the generation of the ISN when requested for a connection. This could help us identify the algorithm used to generate ISN (like random/constant increments) which is used to identify an Operating System.

TCP Initial Window Size
Some Operating System’s stack implementation sets a unique value in the TCP Initial Window size(as in return packet). This value could accurately identify an operating system.

Fragmentation Handling
Analysing how an Operating System handles overlapping fragments of packet and the reassembly of those packets could provide clues to the Stack implementation. Using which we could Identify the Operating System.

SYN Flooding
Various operating systems handle SYN flooding in various ways, Analysing the way in which it rejects flooded connections could help us identify the Stack implementation as well as the operating system. Example, Linux used SYN Cookies to prevent flooding.

ICMP Error Message Quenching
Certain OSs limit the rate at which ICMP error messages are sent. By forwarding a UDP packet to a random high numbered port and monitoring the response will help us identify the stack implementation and hence the OS.

ICMP Error Message Echoing
Some Stack implementations alter the IP headers when returning ICMP Error messages(such as Port Unreachable). By analysing the modifications, we can identify the Operating system.

Type Of Service(TOS)
Variation in the TOS value for the ICMP port unreachable messages could help us identify the OS and OS versions.

And thats it, there may be new techniques coming forward or I would have missed some of the present techniques. My apologies for that.

I left the signatures, characteristics, values that identify an Operating System for you to explore.

No wonder you would think Nmap is such a powerful tool, it really is.
If you want to get into details of this, I suggest you to read the following.

Thanks for reading, hope you learned something.