ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "OS fingerprinting"

From ForensicsWiki
Jump to: navigation, search
(New page: '''OS fingerprinting''' is the process of determining the operating system used by a host on a network. == Active fingerprinting == Active fingerprinting is the process of transmittin...)
 
Line 34: Line 34:
 
== Links ==
 
== Links ==
 
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
 
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
 +
 +
[[Category:Network Forensics]]

Revision as of 20:41, 13 September 2008

OS fingerprinting is the process of determining the operating system used by a host on a network.

Active fingerprinting

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques

Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.

Common techniques are based on analysing:

  • IP TTL values;
  • IP ID values;
  • TCP Window size;
  • TCP Options (generally, in TCP SYN and SYN+ACK packets);
  • DHCP requests;
  • ICMP requests;
  • HTTP packets (generally, User-Agent field).

Limitations

Many passive fingerprinters are getting confused when analysing packets from a NAT device.

Tools

Active fingerprinters:

Passive fingerprinters:

Links