This is a mirror of official site: http://jasper-net.blogspot.com/

Hacker Geek: OS Fingerprinting With TTL and TCP Window Sizes

| Wednesday, February 1, 2012
Did you know that you can find out which operating system a networked device is running just by looking at the way it communicates on the network? Let’s take a look at how we can discover what operating system our devices are running.


Why Would You Do This?

Determining what OS a machine or device is running can be useful for many reasons. First lets take a look at an everyday perspective, imagine you want to switch to a new ISP who offers uncapped internet for $50 a month so you take a trial of their service. By using OS fingerprinting you will soon discover that they have rubbish routers and offer a PPPoE service offered on a bunch of Windows Server 2003 machines. Doesn’t sound like such a good deal anymore, huh?

Another use for this, albeit not so ethical, is the fact that security holes are OS specific. For example, you do a port scan and find port 53 open and the machine is running an outdated and vulnerable version of Bind, you have a SINGLE chance to exploit the security hole since a failed attempt would crash the daemon.


How Does OS Fingerprinting Work?

When doing passive analysis of current traffic or even looking at old packet captures, one of the easiest, effective, ways of doing OS Fingerprinting is by simply looking at the TCP window size and Time To Live (TTL) in the IP header of the first packet in a TCP session.

Here are the values for the more popular operating systems:

Operating System Time To Live TCP Window Size
Linux (Kernel 2.4 and 2.6) 64 5840
Google Linux 64 5720
FreeBSD 64 65535
Windows XP 128 65535
Windows Vista and 7 (Server 2008) 128 8192
iOS 12.4 (Cisco Routers) 255 4128

Read more: How-to geek
QR: http://chart.googleapis.com/chart?chs=80x80&cht=qr&choe=UTF-8&chl=www.howtogeek.com/104337/hacker-geek-os-fingerprinting-with-ttl-and-tcp-window-sizes/

Posted via email from Jasper-net

0 comments: