Sunday, March 4, 2012

OS Fingerprinting

Yo Dawg! You never told me its a pure Windows box and I wasted my time trying to do SSH rather than a RDP! A common fuming statement by most of the Ops guys !?

OS Fingerprinting is normally used by attackers to probe a wide variety of hosts and add them in their hit-lists for the next application/OS exploit is released. Idea is they should not be trying IIS exploits against Linux hosts.

Well - in either case lets empower ourselves too how this can be done.

Network traffic from a computer system can be captured and analyzed to detect what OS the host is running. This is possible due to differences in how the TCP/IP stack is implemented in various operating systems.

The TCP/IP fields that may vary include the following:

  1. Initial packet size (16 bits)
  2. Initial TTL (8 bits)
  3. Window size (16 bits)
  4. Max segment size (16 bits)
  5. Window scaling value (8 bits)
  6. "don't fragment" flag (1 bit)
  7. "sackOK" flag (1 bit)
  8. "nop" flag (1 bit)
Some of the most common known TTL and TCP windows set is shown below:

Operating System(OS)

Intial TTL

TCP Windows


Linux Kernel (2.4 and 2.6)



Windows XP



Windows 7, Vista and Server 2008



Free BSD



Cisco Router (IOS 12.4)









The initial TTL value usually is a little tricky job to analyze since the TTL value of a sniffed packet varies depending on where you sniff it from. The sender system will set the TTL value to the Operating Systems default TTL value - but this value will then be decremented by one (-1) for every router the packet passes through on its way to the destination IP address. Hence an IP packet with a TTL value of 55 can therefore be expected to be a packet with an initial TTL of 64 that has done 9 router hops before it was sniffed.

Very common tool that can be used -


As I said ICMP ping is always the first thing and arrive at some initial level of idea what OS the host might be running


I would try multiple nmap combinations to come to a conclusion:

nmap -sV -P0 -O
nmap -O -v
nmap -sV
nmap -vv -O -P0

Xprobe2 is a basically remote, active OS fingerprinting tool -

[root@DebaTestBox ~]# xprobe2

Xprobe2 v.0.3 Copyright (c) 2002-2005,,

[+] Target is
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[+] Primary guess:
[+] Host 10.X.X.X Running OS: "OpenBSD 2.5" (Guess probability: 90%)

To be contd/-


No comments:

Post a Comment

'Optimism Bias' leads to poor decision making!

Effective Time-management and Time-boxing is a concern for 'always ready people'.  Being from a background that I am from,  I am...