Difference between revisions of "OS fingerprinting"
From Forensics Wiki
(→Links) |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 5: | Line 5: | ||
== Passive fingerprinting == | == Passive fingerprinting == | ||
| − | Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network. | + | Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network. |
== Fingerprinting techniques == | == Fingerprinting techniques == | ||
| Line 20: | Line 20: | ||
* ICMP requests; | * ICMP requests; | ||
* HTTP packets (generally, User-Agent field). | * HTTP packets (generally, User-Agent field). | ||
| + | |||
| + | Other techniques are based on analysing: | ||
| + | |||
| + | * Running services; | ||
| + | * Open port patterns. | ||
== Limitations == | == Limitations == | ||
| Line 31: | Line 36: | ||
* [[NetworkMiner]] | * [[NetworkMiner]] | ||
* [[p0f]] | * [[p0f]] | ||
| + | * [[Satori]] | ||
| + | |||
| + | == See Also == | ||
| + | |||
| + | * [[NAT detection]] | ||
== Links == | == Links == | ||
* [http://nmap.org/book/osdetect.html Remote OS detection paper] | * [http://nmap.org/book/osdetect.html Remote OS detection paper] | ||
| + | * [http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting Passive OS Fingerprinting] (good walkthrough) | ||
[[Category:Network Forensics]] | [[Category:Network Forensics]] | ||
Latest revision as of 15:11, 9 November 2011
OS fingerprinting is the process of determining the operating system used by a host on a network.
Contents |
[edit] Active fingerprinting
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
[edit] Passive fingerprinting
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.
[edit] Fingerprinting techniques
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techniques are based on analysing:
- IP TTL values;
- IP ID values;
- TCP Window size;
- TCP Options (generally, in TCP SYN and SYN+ACK packets);
- DHCP requests;
- ICMP requests;
- HTTP packets (generally, User-Agent field).
Other techniques are based on analysing:
- Running services;
- Open port patterns.
[edit] Limitations
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
[edit] Tools
Active fingerprinters:
Passive fingerprinters:
[edit] See Also
[edit] Links
- Remote OS detection paper
- Passive OS Fingerprinting (good walkthrough)
