Re: OS Fingerprints

From: Francisco Pecorella (fpecor@cantv.net)
Date: Wed Oct 05 2005 - 22:04:59 EDT


Hi BSK,

OS fingerprinting is typically done with ICMP type 8's as well
as TCP SYN packets.

Not always the initial TTL is enough to identify an operative system.

May be helpul this link:

http://www.sans.org/resources/idfaq/tcp_fingerprinting.php

If you want to know the initial TTL for differents OS, some of them are:

60: IRIX
64: Sony PS 2, AIX, NetBSD, Mac OS 10, OpenBSD.
128: Novell, Windows XP.
255: Cisco IOS, Solaris.

You can also use fields like Window Size, bit DF, Packet Size, NOP Flag,etc.

Hope it is helpful this.

--
Regards,
FP
> ----- Original Message ----- 
> From: "BSK" <bishan4u@yahoo.co.uk>
> To: <pen-test@securityfocus.com>
> Sent: Tuesday, October 04, 2005 10:07 AM
> Subject: OS Fingerprints
>
>
>> Dear All,
>>
>> Some time back I came across a document that listed a
>> table with Operating systems and their TTL that helped
>> identify an operating system.
>>
>> I've been trying to search that document on Internet
>> and my machine but not successful yet. Can someone
>> point me to that or similar document.
>>
>> Basically I'm looking for information which helps us
>> identify the target operating system from its TTL
>> field obtained while ping. The document for example
>> listed that if the TTL is 128 its likely to be M$ and
>> if its 64 its likely to be Cisco Router or switch.
>>
>> Await your reply.
>>
>> rgds,
>> Bshan
>>
>>
>>
>> ___________________________________________________________
>> To help you stay safe and secure online, we've developed the all new 
>> Yahoo! Security Centre. http://uk.security.yahoo.com
>>
>> ------------------------------------------------------------------------------
>> Audit your website security with Acunetix Web Vulnerability Scanner:
>>
>> Hackers are concentrating their efforts on attacking applications on your
>> website. Up to 75% of cyber attacks are launched on shopping carts, 
>> forms,
>> login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
>> are
>> futile against web application hacking. Check your website for 
>> vulnerabilities
>> to SQL injection, Cross site scripting and other web attacks before 
>> hackers do!
>> Download Trial at:
>>
>> http://www.securityfocus.com/sponsor/pen-test_050831
>> -------------------------------------------------------------------------------
>>
> 
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:02 EDT