Penetration Testing mailing list archives
RE: OS Fingerprints
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Wed, 5 Oct 2005 20:13:44 +0100
-----Original Message----- From: BSK [mailto:bishan4u () yahoo co uk] Dear All, Some time back I came across a document that listed a table with Operating systems and their TTL that helped identify an operating system. I've been trying to search that document on Internet and my machine but not successful yet. Can someone point me to that or similar document.
You mean something like http://www.ouah.org/incosfingerp.htm by Toby Miller? This is a good paper, unfortunately a little bit outdated. You might also want to add a few new entries (feel free to share and add yours :-) ): Windows XP, and XP SP2 (not sure if SP1, but should be) * TTL: 128 * Window: 64512 * TCP Options: MSS. Sack, 2 nops. (Like Windows 2000) * Packet Length: 48 bytes. * IP ID: Increments by one all of the time AP LINKSYS (Tested with BEFW11S4, other models might differ. SYN-ACK packet in this case; paper uses SYN packets for all others) * TTL: 150 (pretty unusual) * Window: 5840. (Similar to Linux) * TCP Options: MSS. * Packet Length: 44 bytes. * IP ID: Increments by one all of the time FreeBSD (tested with 5.4) * TTL: 64. * Window: 65535. * TCP Options: MSS, 5 nops, Window Scale, Timestamp. * Packet Length: 64 bytes. * IP ID: Increments by one all of the time
Basically I'm looking for information which helps us identify the target operating system from its TTL field obtained while ping. The document for example listed that if the TTL is 128 its likely to be M$ and if its 64 its likely to be Cisco Router or switch.
Be aware that most UniX and Unix-Like O.S. use an initial TTL of 64. You need more than just the TTL if you intend to be accurate. Regards, Omar Herrera ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: OS Fingerprints, (continued)
- Re: OS Fingerprints Franck Veysset (Oct 05)
- Re: OS Fingerprints Daniele Bellucci (Oct 05)
- RE: OS Fingerprints Omar (Oct 05)
- RE: OS Fingerprints JB (Oct 05)
- Re: OS Fingerprints GomoR (Oct 05)
- Re: OS Fingerprints Dragos Ruiu (Oct 06)
- Re: OS Fingerprints Nicolas Gregoire (Oct 05)
- Re: OS Fingerprints Francisco Pecorella (Oct 05)
- Re: OS Fingerprints Tim (Oct 05)
- Re: OS Fingerprints Joe Matusiewicz (Oct 05)
- RE: OS Fingerprints Omar A. Herrera (Oct 05)
- Re: OS Fingerprints Chuck (Oct 05)
- Re: OS Fingerprints Don Parker (Oct 05)
- RE: OS Fingerprints ankush.kapoor (Oct 05)
- Re: OS Fingerprints BSK (Oct 05)
- Re: OS Fingerprints sumit . siddharth (Oct 05)
- Re: OS Fingerprints BSK (Oct 05)
- Re: OS Fingerprints Francisco Pecorella (Oct 06)
- RE: OS Fingerprints Payton, Zack (Oct 07)
- RE: OS Fingerprints Payton, Zack (Oct 07)