ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "OS fingerprinting"

From ForensicsWiki
Jump to: navigation, search
Line 44: Line 44:
== Links ==
== Links ==
* [ Remote OS detection paper]
* [ Remote OS detection paper]
* [ Passive OS Fingerprinting] (good walkthrough)
[[Category:Network Forensics]]
[[Category:Network Forensics]]

Latest revision as of 20:11, 9 November 2011

OS fingerprinting is the process of determining the operating system used by a host on a network.

Active fingerprinting

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques

Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.

Common techniques are based on analysing:

  • IP TTL values;
  • IP ID values;
  • TCP Window size;
  • TCP Options (generally, in TCP SYN and SYN+ACK packets);
  • DHCP requests;
  • ICMP requests;
  • HTTP packets (generally, User-Agent field).

Other techniques are based on analysing:

  • Running services;
  • Open port patterns.


Many passive fingerprinters are getting confused when analysing packets from a NAT device.


Active fingerprinters:

Passive fingerprinters:

See Also