I am interested in using nmap for discovery, and to figure out the OS of each host. I understand that nmap does this, and can be enabled and controlled as described in the man page:
OS detection is enabled and controlled with the following options:
-O (Enable OS detection) .
Enables OS detection, as discussed above. Alternatively, you can use
-A to enable OS detection along with other things.
–osscan-limit (Limit OS detection to promising targets) . OS detection is far more effective if at least one open and one closed
TCP port are found. Set this option and Nmap will not even try OS
detection against hosts that do not meet this criteria. This can save
substantial time, particularly on -Pn scans against many hosts. It
only matters when OS detection is requested with -O or -A.
–osscan-guess; –fuzzy (Guess OS detection results) . When Nmap is unable to detect a perfect OS match, it sometimes offers up
near-matches as possibilities. The match has to be very close for Nmap
to do this by default. Either of these (equivalent) options make Nmap
guess more aggressively. Nmap will still tell you when an imperfect
match is printed and display its confidence level (percentage) for
each guess.
–max-os-tries (Set the maximum number of OS detection tries against a target) . When Nmap performs OS detection against a target and fails
to find a perfect match, it usually repeats the attempt. By default,
Nmap tries five times if conditions are favorable for OS fingerprint
submission, and twice when conditions aren't so good. Specifying a
lower –max-os-tries value (such as 1) speeds Nmap up, though you miss
out on retries which could potentially identify the OS. Alternatively,
a high value may be set to allow even more retries when conditions are
favorable. This is rarely done, except to generate better fingerprints
for submission and integration into the Nmap OS database.
My question is if it is possible to disable the port scanning portion of the OS detection process. It doesn't seem to be possible considering the man page, but doesn't seem unreasonable in principle.
Best Answer
Nmap requires at least 1 closed and 1 open port to do a reliable OS match. By default, Nmap's port scan scans 1000 TCP ports. You can reduce the time required by the port scan phase by reducing the number of ports scanned. Here is a good set that has a high probability of resulting in 1 open and 1 closed port:
This will only scan the 5 ports listed, which is 0.5% of a normal scan.