Difference between revisions of "OS fingerprinting"
From Forensics Wiki
(New page: '''OS fingerprinting''' is the process of determining the operating system used by a host on a network. == Active fingerprinting == Active fingerprinting is the process of transmittin...) |
|||
| Line 34: | Line 34: | ||
== Links == | == Links == | ||
* [http://nmap.org/book/osdetect.html Remote OS detection paper] | * [http://nmap.org/book/osdetect.html Remote OS detection paper] | ||
| + | |||
| + | [[Category:Network Forensics]] | ||
Revision as of 15:41, 13 September 2008
OS fingerprinting is the process of determining the operating system used by a host on a network.
Contents |
Active fingerprinting
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
Passive fingerprinting
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.
Fingerprinting techniques
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techniques are based on analysing:
- IP TTL values;
- IP ID values;
- TCP Window size;
- TCP Options (generally, in TCP SYN and SYN+ACK packets);
- DHCP requests;
- ICMP requests;
- HTTP packets (generally, User-Agent field).
Limitations
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
Tools
Active fingerprinters:
Passive fingerprinters:
