It is sometimes very difficult to determine remotely whether anavailable service is susceptible or patched for a certainvulnerability. Even obtaining the application version number doesn'talways help, since OS distributors often back-port security fixeswithout changing the version number. The surest way to verify that avulnerability is real is to exploit it, but that risks crashing theservice and can lead to wasted hours or even days of frustratingexploitation efforts if the service turns out to be patched.

OS detection can help reduce these false positives. Forexample, the Rwho daemon on unpatched Sun Solaris 7 through 9 may beremotely exploitable (Sun alert #57659). Remotely determiningvulnerability is difficult, but you can rule it out by finding that atarget system is running Solaris 10.

Taking this from the perspective of a systems administratorrather than a pen-tester, imagine you run a large Sun shop when alert#57659 comes out. Scan your whole network with OS detection to findmachines which need patching before the bad guys do.

Even after you discover a vulnerability in a target system, OSdetection can be helpful in exploiting it. Buffer overflows,format-string exploits, and many other vulnerabilities often requirecustom-tailored shellcode with offsets and assembly payloads generatedto match the target OS and hardware architecture. In some cases, youonly get one try because the service crashes if you get theshellcode wrong. Use OS detection first or you may end up sendingLinux shellcode to a FreeBSD server.

While it isn't as exciting as busting root through a speciallycrafted format string exploit, there are many administrative reasonsto keep track of what is running on your network. Before you renewthat IRIX support contract for another year, scan to see if anyonestill uses such machines. An inventory can also be useful for ITbudgeting and ensuring that all company equipment is accountedfor.

With the ubiquity of mobile devices and cheap commoditynetworking equipment, companies are increasingly finding thatemployees are extending their networks in undesirable ways. They mayinstall a $20wireless access point (WAP)in their cubicle withoutrealizing (or caring) that they just opened up the protected corporatenetwork to potential attackers in the parking lot or nearby buildings.WAPs can be so dangerous that Nmap has a special category fordetecting them, as demonstrated inthe section called “SOLUTION: Detect Rogue Wireless Access Points on an Enterprise Network”. Users may also cause sysadmins grief by connecting insecure and/orworm-infected laptops to the corporate network. Regular scanning can detect unauthorizeddevices for investigation and containment.

Another possible use is social engineering. Lets say that youare scanning a target company and Nmap reports a“DatavoiceTxPORT PRISM 3000 T1 CSU/DSU 6.22/2.06”. You could call up thetarget pretending to be Datavoice support and discuss some issues withtheir PRISM 3000. Tell them you are about to announce a big securityhole, but are first providing the patch to valued customers. Somenaive administrators might assume that only an authorized engineerfrom Datavoice would know so much about their CSU/DSU. Of course thepatch you send them is a Trojan horse that gives you remote access tosniff and traipse through their network. Be sure to read the rest ofthis chapter for detection accuracy and verification advice beforetrying this. If you guess the target system wrong and they call thepolice, that will be an embarrassing story to tell yourcellmates.