Difference between revisions of "OS fingerprinting"
From Forensics Wiki
m |
|||
| Line 5: | Line 5: | ||
== Passive fingerprinting == | == Passive fingerprinting == | ||
| − | Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network. | + | Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network. |
== Fingerprinting techniques == | == Fingerprinting techniques == | ||
Revision as of 14:19, 24 September 2008
OS fingerprinting is the process of determining the operating system used by a host on a network.
Contents |
Active fingerprinting
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
Passive fingerprinting
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.
Fingerprinting techniques
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techniques are based on analysing:
- IP TTL values;
- IP ID values;
- TCP Window size;
- TCP Options (generally, in TCP SYN and SYN+ACK packets);
- DHCP requests;
- ICMP requests;
- HTTP packets (generally, User-Agent field).
Limitations
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
Tools
Active fingerprinters:
Passive fingerprinters:
