Difference between pages "OS fingerprinting" and "File:Cyberspeak.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Maintenance script uploaded "File:Cyberspeak.jpg": Importing image file)
 
Line 1: Line 1:
'''OS fingerprinting''' is the process of determining the [[operating system]] used by a host on a network.
 
  
== Active fingerprinting ==
 
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
 
 
== Passive fingerprinting ==
 
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network.
 
 
== Fingerprinting techniques ==
 
 
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
 
 
Common techniques are based on analysing:
 
 
* IP TTL values;
 
* IP ID values;
 
* TCP Window size;
 
* TCP Options (generally, in TCP SYN and SYN+ACK packets);
 
* DHCP requests;
 
* ICMP requests;
 
* HTTP packets (generally, User-Agent field).
 
 
Other techniques are based on analysing:
 
 
* Running services;
 
* Open port patterns.
 
 
== Limitations ==
 
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
 
 
== Tools ==
 
Active fingerprinters:
 
* [[Nmap]]
 
 
Passive fingerprinters:
 
* [[NetworkMiner]]
 
* [[p0f]]
 
 
== Links ==
 
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
 
 
[[Category:Network Forensics]]
 

Latest revision as of 22:43, 18 March 2013