Could someone give me tips on how to go about determining what a remote operating system is?

If you port scan to find out what ports are open you can kind of guess if it's a windows sytem or a *nix system. Most people use NMAP which is a port scanner and works out what the OS is for you.It run's on Linux but i do think there is a windows version.There is also the Languard network scanner which is a security scanner and run's on window and works out the os for you.
If you also telnet to port 80 or use netcat to connect you can also work out what the web server is by pressing enter or GET with netcat.

google for passive operating system fingerprinting... this is a link i found
http://honeynet.hackers.nl/papers/finger/

now google for banner grabbing ands you may find something like this excerpt.

Banner grabbing is the simplest and easiest technique. Any telnet client can be used to connect to an open port and see what logon information is advertised. Many telnet, Web, SMTP, and FTP servers proudly display their product name, version, and OS information. The following is an example “banner grabbing” session.

First,1 we telnet to port 25 to see what SMTP server our target is using:

>telnet mail.majorisp.net 25

220-server.majorisp.net ESMTP Exim 3.33 #1 Sun, 09 Dec 2001 20:28:18 -0800

220-NO UCE. MajorISP does not authorize the use of its computers or network

220 equipment to deliver, accept, transmit, or distribute unsolicited e-mail.

>quit

221 server.majorisp.net closing connection

A quick web search reveals that “Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet” [1]. So we know a few things already: the MajorISP SMTP server is UNIX (what flavor or version we don’t yet know), the message transfer agent is Exim, and the version is 3.33. A quick perusal of the Exim website reveals complete documentation, including apparently much of the author’s design philosophy, etc. A dedicated attacker would certainly find a lot of interesting information here. We’ve also noted the hostname of the particular server in use.

Next, we examine port 110, POP3:

>telnet mail.majorisp.net 110

+OK POPserver vMI_3_36 at majorisp.net ready <22321.1007964598@hostname>

Not a lot of information is revealed in this case, as a web search on the POP server identified does not reveal anything useful. The implementation appears possibly to be proprietary. However, we again make note of the server&#146;s name (different from the SMTP server in this case).

Telnet to port 80 does reveal some interesting information:

>telnet www.majorisp.net 80

><cr>

HTTP/1.1 400 Bad Request

Server: Netscape-Enterprise/3.6

Now we know that MajorISP employs Netscape-Enterprise/3.6 on their web servers, and can begin searching for potential vulnerabilities. By examining the &#147;Supported Platforms and System Requirements&#148; of the Netscape Enterprise Server [2], we can begin to narrow down the OS in use, but we still don&#146;t know which flavor of UNIX they are running.

Next, we try FTP:

>telnet ftp.majorisp.net 21

220-Welcome to the anonymous FTP server at MajorISP, Inc.

220-

220-If your FTP client crashes or hangs shortly after login, try using a

220-dash (-) as the first character of your password. This will turn off

220-the informational messages which may be confusing your ftp client.

220-

220-If you have any questions, please send mail to ftp@majorisp.net.

220-

220 bob FTP server (Version MISP-FTPD(2) Thu Feb 6 17:05:52 PST 1997) ready.

>SYST

215 UNIX Type: L8

Unfortunately, &#147;UNIX Type: L8&#148; is useless in determining the OS version [3]. &#147;bob FTP server (Version MISP-FTPD(2) &#133; )&#148; doesn&#146;t reveal much about the FTP daemon in use, except that it appears to be quite old (1997), and it appears to be something homegrown (or at least modified by the target organization). A web search reveals nothing useful.

So, in this example, my target has done a decent job of hiding the OS versions of their servers, at least against simple banner grabbing. However, we did discover that the target organization runs some variant of UNIX, they use Exim 3.33 for SMTP, and they serve web pages with Netscape&#146;s Enterprise server 3.6. In many cases, these techniques will be completely successful, and are the first and easiest method of remote OS identification.

Several other ports might give up useful information, such as 22 (SSH), 23 (telnet), 143 (IMAP), 113 (Identd) etc., depending on what ports were found to be open in earlier port scans.


Nmap: http://www.insecure.org
His paper on Passive operating system fingerprinting is an interesting read and can be located http://www.insecure.org/nmap/nmap-fingerpr...ng-article.html

Dissolutions, nice tip on telneting to port 25 and then using Google.