xprobeを使う

ツール

ICMPの応答時間や返し方などを計って対象ホストのOSを推測するというツールです。
説明を聞いて判るとおりハッキングツールの一種なので実行には注意してください。

インストール

ubuntudebianならapt-getで入ります。
依存パッケージのlibpcapが一緒に入るかもしれません。

$ sudo apt-get install xprobe2

使用方(要ルート権限)

$ sudo xprobe2 -v "ホスト名 or IPアドレス"

実行結果例(LS-XHLからWinXPの11nクチに向かって実行)

$ sudo xprobe2 -v 192.168.1.102

Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

[+] Target is 192.168.1.102
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.1.102. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.1.102. Module test failed
[-] No distance calculation. 192.168.1.102 appears to be dead or no ports known
[+] Host: 192.168.1.102 is up (Guess probability: 50%)
[+] Target: 192.168.1.102 is alive. Round-Trip Time: 0.00094 sec
[+] Selected safe Round-Trip Time value is: 0.00189 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.1.102 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.1.102 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows XP SP2" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows XP SP1" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows XP" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows 2000 Server Service Pack 2" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 100%)
[+] Host 192.168.1.102 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

組み込み環境(LAN付き情報家電)のOS特定とかに使えるかな

追記 2009/08/06

nmapをつかってもOSの推測はできるそうです。
その場合は

$ sudo nmap -O "ホスト名 or IPアドレス"