What does the -O switch do and what are its typical limitations?

• A. -O enables OS detection by analyzing stack responses; it may be unreliable behind firewalls, NAT, or IDS, and often requires privileged access.
• B. -O enables version detection by probing services to identify software and version numbers.
• C. -O performs a full port scan across all ports.
• D. -O saves output in Normal, XML, and Grepable formats.

Answer: (A)

OS detection is what the -O switch does. It activates fingerprinting of the target’s TCP/IP stack by sending a set of crafted probes and analyzing how the host responds to each. By comparing those responses to a database of known stack characteristics, Nmap can guess the operating system (and sometimes the version).

This tends to require privileged access because it uses raw packets and low-level network probing that aren’t available to unprivileged users on many systems. The method has typical limitations: if the path includes firewalls, NAT, or IDS, the probes may be blocked or altered, making the results unreliable or inconclusive; NAT can make it look like the gateway is responding rather than the actual host, muddying the identification; some hosts or networks suppress or rate-limit probes, reducing data and accuracy; and fingerprinting accuracy can vary across devices, especially with modern or hardened systems and virtualized environments.