ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

OS fingerprinting

From ForensicsWiki
Revision as of 02:55, 28 November 2008 by Xnih (Talk | contribs) (Tools)

Jump to: navigation, search

OS fingerprinting is the process of determining the operating system used by a host on a network.

Active fingerprinting

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques

Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.

Common techniques are based on analysing:

  • IP TTL values;
  • IP ID values;
  • TCP Window size;
  • TCP Options (generally, in TCP SYN and SYN+ACK packets);
  • DHCP requests;
  • ICMP requests;
  • HTTP packets (generally, User-Agent field).

Other techniques are based on analysing:

  • Running services;
  • Open port patterns.

Limitations

Many passive fingerprinters are getting confused when analysing packets from a NAT device.

Tools

Active fingerprinters:

Passive fingerprinters:

See Also

Links