Difference between pages "OS fingerprinting" and "File:Cyberspeak.jpg"
From Forensics Wiki
(Difference between pages)
|
|
| Line 1: |
Line 1: |
| − | '''OS fingerprinting''' is the process of determining the [[operating system]] used by a host on a network.
| |
| | | | |
| − | == Active fingerprinting ==
| |
| − | Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
| |
| − |
| |
| − | == Passive fingerprinting ==
| |
| − | Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network.
| |
| − |
| |
| − | == Fingerprinting techniques ==
| |
| − |
| |
| − | Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
| |
| − |
| |
| − | Common techniques are based on analysing:
| |
| − |
| |
| − | * IP TTL values;
| |
| − | * IP ID values;
| |
| − | * TCP Window size;
| |
| − | * TCP Options (generally, in TCP SYN and SYN+ACK packets);
| |
| − | * DHCP requests;
| |
| − | * ICMP requests;
| |
| − | * HTTP packets (generally, User-Agent field).
| |
| − |
| |
| − | Other techniques are based on analysing:
| |
| − |
| |
| − | * Running services;
| |
| − | * Open port patterns.
| |
| − |
| |
| − | == Limitations ==
| |
| − | Many passive fingerprinters are getting confused when analysing packets from a NAT device.
| |
| − |
| |
| − | == Tools ==
| |
| − | Active fingerprinters:
| |
| − | * [[Nmap]]
| |
| − |
| |
| − | Passive fingerprinters:
| |
| − | * [[NetworkMiner]]
| |
| − | * [[p0f]]
| |
| − |
| |
| − | == Links ==
| |
| − | * [http://nmap.org/book/osdetect.html Remote OS detection paper]
| |
| − |
| |
| − | [[Category:Network Forensics]]
| |
Latest revision as of 22:43, 18 March 2013
