Difference between revisions of "OS fingerprinting"
From Forensics Wiki
m |
m |
||
| Line 20: | Line 20: | ||
* ICMP requests; | * ICMP requests; | ||
* HTTP packets (generally, User-Agent field). | * HTTP packets (generally, User-Agent field). | ||
| + | |||
| + | Other techniques are based on analysing: | ||
| + | |||
| + | * Running services; | ||
| + | * Open port patterns. | ||
== Limitations == | == Limitations == | ||
Revision as of 12:38, 26 October 2008
OS fingerprinting is the process of determining the operating system used by a host on a network.
Contents |
Active fingerprinting
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
Passive fingerprinting
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.
Fingerprinting techniques
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techniques are based on analysing:
- IP TTL values;
- IP ID values;
- TCP Window size;
- TCP Options (generally, in TCP SYN and SYN+ACK packets);
- DHCP requests;
- ICMP requests;
- HTTP packets (generally, User-Agent field).
Other techniques are based on analysing:
- Running services;
- Open port patterns.
Limitations
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
Tools
Active fingerprinters:
Passive fingerprinters:
