I want to start this post by pointing out that the title is like something you’d find in a classic German war movie.\u00a0 Except this time, it’s about servers.\u00a0 Anyway, I got this email from a reader:<\/p>\n
Hi Linux Guy,
\nI have a project where I need to patch Linux systems \u2013 problem is that the client doesn\u2019t even know how or what versions of linux are out there in the environment.<\/p>\nWhat would you recommend as a discovery method or tool to obtain the system information for linux systems?\u00a0 I recall that, back in my earlier days of IT and experimenting, I used a port-scanner to identify online systems in my neighborhood on the internet :S\u00a0 That, I believe, also identified operating system based on which ports are open, so I am thinking some sort of SNMP tool.<\/p>\n
Looking for your wisdom and guidance.
\n-Nick-<\/p><\/blockquote>\nI appreciate your kind words!<\/p>\n
I think the answer you need is to start with NMAP.\u00a0 But the *question* before the answer is, “Mr. or Mrs. Customer, do you mind me port-scanning machines in your infrastructure?<\/em>”\u00a0 Without approval in writing, scanning someone’s machines or subnets can get you in hot water — even legal trouble — if you aren’t careful.<\/p>\n
Of course, first you need to be sure you’re scanning for Linux machines.\u00a0 You can limit your scan to a simple set of addresses, if they know which addresses they would like scanned. If they don’t know, then you might have to do subnet scans, so make sure you get a complete list of subnets.\u00a0 Here’s an example of using
nmap<\/code> to quickly determine which addresses in a single subnet are worthy of scanning:<\/p>\nnmap -F 192.168.1.0\/24<\/pre>\nNote: If you don’t like waiting for the command to return results, press the a key (such as space bar) to show real-time results while waiting.<\/em><\/p>\n
Then, you can limit the search down to a more refined list.\u00a0 And whether you started with a specific list of addresses or a subnet list, you can scan and learn roughly what they are via the OS signature best-guess with
nmap<\/code>. \u00a0While you cannot completely trust the certainty of thenmap<\/code> OS fingerprint, it’s certainly good enough to let you know if the machines are truly Linux. \u00a0Of course, they may be port-blocked too, or behind other firewalls, so you can’t necessarily trust that your results will be all-inclusive; but you can reasonably trust the positives that you get.\u00a0 From our above example, image we got four positive responses, so now we probe them further in this example:<\/p>\nnmap -O --osscan-guess 192.168.1.2,4,9,13,14<\/pre>\n