ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "OS fingerprinting"

From ForensicsWiki
Jump to: navigation, search
(Tools)
(Links)
 
Line 44: Line 44:
 
== Links ==
 
== Links ==
 
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
 
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
 +
* [http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting Passive OS Fingerprinting] (good walkthrough)
  
 
[[Category:Network Forensics]]
 
[[Category:Network Forensics]]

Latest revision as of 20:11, 9 November 2011

OS fingerprinting is the process of determining the operating system used by a host on a network.

Active fingerprinting

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques

Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.

Common techniques are based on analysing:

  • IP TTL values;
  • IP ID values;
  • TCP Window size;
  • TCP Options (generally, in TCP SYN and SYN+ACK packets);
  • DHCP requests;
  • ICMP requests;
  • HTTP packets (generally, User-Agent field).

Other techniques are based on analysing:

  • Running services;
  • Open port patterns.

Limitations

Many passive fingerprinters are getting confused when analysing packets from a NAT device.

Tools

Active fingerprinters:

Passive fingerprinters:

See Also

Links