How Does OS Fingerprinting Work? When doing passive analysis of current traffic or even looking at old packet captures, one of the easiest, effective, ways of doing OS Fingerprinting is by simply looking at the TCP window size and Time To Live (TTL) in the IP header of the first packet in a TCP session. Here are the values for the more popular operating systems: Operating System Time To Live TCP Window Size Linux (Kernel 2.4 and 2.6) 64 5840 Google Linux 64 5720 FreeBSD 64 65535 Windows XP 128 65535 Windows Vista and 7 (Server 2008) 128 8192 iOS 12.4 (Cisco Routers) 255 4128 The main reason that the operating systems have different values is due to the fact that the RFC’s for TCP/IP don’t stipulate default values. Other important thing to remember is that the TTL value will not always match up to one in the table, even if your device is running one of the listed operating systems, you see when you send an IP packet across the network the sending device’s operating system sets the TTL to the default TTL for that OS, but as the packet traverses routers the TTL is lowered by 1. Therefore, if you see a TTL of 117 this can be expected to be a packet that was sent with a TTL of 128 and has traversed 11 routers before being captured.
Posted on: Sat, 08 Mar 2014 03:54:32 +0000
Trending Topics
Recently Viewed Topics
© 2015