Is it possible to do an OS detection scan with nmap without scanning a port? I really need only OS detection and try to reduce the amount of traffic as much as possible.
By the way what is the most accurate to do an OS sdcan? At the moment I do
nmap xx.xx.xx.xx -sF -A --osscan-guess -p 80 -Pn
Because nmap needs at least one port.
It is not possible, because Nmap needs to know the state of a port in order to predict (and therefore classify) the OS's responses. The details of Nmap's OS detection can be found online in Nmap Network Scanning. The important point is that Nmap needs to have at least one open TCP port and one closed TCP port to accurately match an OS fingerprint.
Given that, there are ways to reduce the amount of traffic involved, if you are willing to accept some error, or if you know something about the host involved. You can reduce the number of ports scanned by using the --top-ports option. If you know an open port, you can guess at some closed ports and only scan a handful of ports. For instance, if you are scanning a web server:
nmap -p 80,1,2,3 -O scanme.nmap.org
This command assumes that port 80 will be open (since the target is a web server), and at least one of the three other ports will be closed (since they are not frequently used). This way, Nmap can do OS fingerprinting while only scanning 4 ports.
