Difference between pages "OS fingerprinting" and "File:Cyberspeak.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Maintenance script uploaded "File:Cyberspeak.jpg": Importing image file)
Line 1: Line 1:
'''OS fingerprinting''' is the process of determining the [[operating system]] used by a host on a network.
== Active fingerprinting ==
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
== Passive fingerprinting ==
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network.
== Fingerprinting techniques ==
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techniques are based on analysing:
* IP TTL values;
* IP ID values;
* TCP Window size;
* TCP Options (generally, in TCP SYN and SYN+ACK packets);
* DHCP requests;
* ICMP requests;
* HTTP packets (generally, User-Agent field).
Other techniques are based on analysing:
* Running services;
* Open port patterns.
== Limitations ==
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
== Tools ==
Active fingerprinters:
* [[Nmap]]
Passive fingerprinters:
* [[NetworkMiner]]
* [[p0f]]
== Links ==
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
[[Category:Network Forensics]]

Latest revision as of 03:43, 19 March 2013