Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: OS Fingerprints

From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Wed, 5 Oct 2005 20:13:44 +0100



-----Original Message-----
From: BSK [mailto:bishan4u () yahoo co uk]

Dear All,

Some time back I came across a document that listed a
table with Operating systems and their TTL that helped
identify an operating system.

I've been trying to search that document on Internet
and my machine but not successful yet. Can someone
point me to that or similar document.


You mean something like http://www.ouah.org/incosfingerp.htm by Toby Miller?
This is a good paper, unfortunately a little bit outdated. 

You might also want to add a few new entries (feel free to share and add
yours :-) ):

Windows XP, and XP SP2 (not sure if SP1, but should be)
    * TTL: 128
    * Window: 64512
    * TCP Options: MSS. Sack, 2 nops. (Like Windows 2000)
    * Packet Length: 48 bytes.
    * IP ID: Increments by one all of the time

AP LINKSYS (Tested with BEFW11S4, other models might differ. SYN-ACK packet
in this case; paper uses SYN packets for all others)
    * TTL: 150 (pretty unusual)
    * Window: 5840. (Similar to Linux)
    * TCP Options: MSS.
    * Packet Length: 44 bytes.
    * IP ID: Increments by one all of the time

FreeBSD (tested with 5.4)
    * TTL: 64.
    * Window: 65535. 
    * TCP Options: MSS, 5 nops, Window Scale, Timestamp.
    * Packet Length: 64 bytes.
    * IP ID: Increments by one all of the time



Basically I'm looking for information which helps us
identify the target operating system from its TTL
field obtained while ping. The document for example
listed that if the TTL is 128 its likely to be M$ and
if its 64 its likely to be Cisco Router or switch.


Be aware that most UniX and Unix-Like O.S. use an initial TTL of 64. You
need more than just the TTL if you intend to be accurate. 

Regards,
Omar Herrera


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: