Difference between revisions of "OS fingerprinting"

From ForensicsWiki
Jump to: navigation, search
(One intermediate revision by one other user not shown)
Line 36: Line 36:
* [[NetworkMiner]]
* [[NetworkMiner]]
* [[p0f]]
* [[p0f]]
* [[Satori]]
== See Also ==
== See Also ==
Line 43: Line 44:
== Links ==
== Links ==
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
* [http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting Passive OS Fingerprinting] (good walkthrough)
[[Category:Network Forensics]]
[[Category:Network Forensics]]

Latest revision as of 20:11, 9 November 2011

OS fingerprinting is the process of determining the operating system used by a host on a network.

Active fingerprinting

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques

Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.

Common techniques are based on analysing:

  • IP TTL values;
  • IP ID values;
  • TCP Window size;
  • TCP Options (generally, in TCP SYN and SYN+ACK packets);
  • DHCP requests;
  • ICMP requests;
  • HTTP packets (generally, User-Agent field).

Other techniques are based on analysing:

  • Running services;
  • Open port patterns.


Many passive fingerprinters are getting confused when analysing packets from a NAT device.


Active fingerprinters:

Passive fingerprinters:

See Also