Hi everyone! (Specially pentesting masters!)
I got a question:
We all know the Nmap's abillity for detecting os using 1 open and 1 closed port,
Is there any way or method to detect os without any closed port ?(open ports exist)

Thanks alot 😃

So all 65535 ports are open? Happened to me once only.

The services may disclose the OS:
- the "Server" header of HTTP servers: "Server: Apache/2 (Linux/2.4) PHP/5.4"
- the SMTP "greeting": "220 example.org ESMTP Postfix on Debian/GNU"

Some software can only be installed on certain operating systems (e.g. IIS is only installed on Windows, a recent IIS version indicates a recent Windows version)

Depending how the software is configured it may provide usefull information or nothing at all, but it may be better than nothing.

If it is an embedded device the configuration interface might indicate software / OS versions or date and the MAC address might lead to the manufacturer.

@sbiewald thanks !
But only 2 ports are open and others are filtered and no RST packet is sent .

The -A or -O parameter I thought... (yes, case sensitive)

@linuxxx tried that but I was given an error saying that I need one open and one close port for doing that