RE: OS Fingerprints

From: Omar A. Herrera (omar.herrera@oissg.org)
Date: Wed Oct 05 2005 - 15:13:44 EDT

• Next message: Mark Teicher: "Re: scanrand ver 2"
• Previous message: Joe Matusiewicz: "Re: OS Fingerprints"
• In reply to: BSK: "OS Fingerprints"
• Next in thread: Chuck: "Re: OS Fingerprints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: BSK [mailto:bishan4u@yahoo.co.uk]
>
> Dear All,
>
> Some time back I came across a document that listed a
> table with Operating systems and their TTL that helped
> identify an operating system.
>
> I've been trying to search that document on Internet
> and my machine but not successful yet. Can someone
> point me to that or similar document.

You mean something like http://www.ouah.org/incosfingerp.htm by Toby Miller?
This is a good paper, unfortunately a little bit outdated.

You might also want to add a few new entries (feel free to share and add
yours :-) ):

Windows XP, and XP SP2 (not sure if SP1, but should be)
    * TTL: 128
    * Window: 64512
    * TCP Options: MSS. Sack, 2 nops. (Like Windows 2000)
    * Packet Length: 48 bytes.
    * IP ID: Increments by one all of the time

AP LINKSYS (Tested with BEFW11S4, other models might differ. SYN-ACK packet
in this case; paper uses SYN packets for all others)
    * TTL: 150 (pretty unusual)
    * Window: 5840. (Similar to Linux)
    * TCP Options: MSS.
    * Packet Length: 44 bytes.
    * IP ID: Increments by one all of the time

FreeBSD (tested with 5.4)
    * TTL: 64.
    * Window: 65535.
    * TCP Options: MSS, 5 nops, Window Scale, Timestamp.
    * Packet Length: 64 bytes.
    * IP ID: Increments by one all of the time

>
> Basically I'm looking for information which helps us
> identify the target operating system from its TTL
> field obtained while ping. The document for example
> listed that if the TTL is 128 its likely to be M$ and
> if its 64 its likely to be Cisco Router or switch.

Be aware that most UniX and Unix-Like O.S. use an initial TTL of 64. You
need more than just the TTL if you intend to be accurate.

Regards,
Omar Herrera

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Mark Teicher: "Re: scanrand ver 2"
• Previous message: Joe Matusiewicz: "Re: OS Fingerprints"
• In reply to: BSK: "OS Fingerprints"
• Next in thread: Chuck: "Re: OS Fingerprints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:02 EDT