Difference between revisions of "OS fingerprinting"
From Forensics Wiki
(→Links) |
|||
| (One intermediate revision by one user not shown) | |||
| Line 36: | Line 36: | ||
* [[NetworkMiner]] | * [[NetworkMiner]] | ||
* [[p0f]] | * [[p0f]] | ||
| + | * [[Satori]] | ||
== See Also == | == See Also == | ||
| Line 43: | Line 44: | ||
== Links == | == Links == | ||
* [http://nmap.org/book/osdetect.html Remote OS detection paper] | * [http://nmap.org/book/osdetect.html Remote OS detection paper] | ||
| + | * [http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting Passive OS Fingerprinting] (good walkthrough) | ||
[[Category:Network Forensics]] | [[Category:Network Forensics]] | ||
Latest revision as of 15:11, 9 November 2011
OS fingerprinting is the process of determining the operating system used by a host on a network.
Contents |
[edit] Active fingerprinting
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
[edit] Passive fingerprinting
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.
[edit] Fingerprinting techniques
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techniques are based on analysing:
- IP TTL values;
- IP ID values;
- TCP Window size;
- TCP Options (generally, in TCP SYN and SYN+ACK packets);
- DHCP requests;
- ICMP requests;
- HTTP packets (generally, User-Agent field).
Other techniques are based on analysing:
- Running services;
- Open port patterns.
[edit] Limitations
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
[edit] Tools
Active fingerprinters:
Passive fingerprinters:
[edit] See Also
[edit] Links
- Remote OS detection paper
- Passive OS Fingerprinting (good walkthrough)
