Os fingerprinting

OS fingerprinting is the process of determining the operating system used by a host on a network.

Active fingerprinting

Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.

Fingerprinting techniques

Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.

Common techniques are based on analysing:

• IP TTL values;
• IP ID values;
• TCP Window size;
• TCP Options (generally, in TCP SYN and SYN+ACK packets);
• DHCP requests;
• ICMP requests;
• HTTP packets (generally, User-Agent field).

Other techniques are based on analysing:

• Running services;
• Open port patterns.

Limitations

Many passive fingerprinters are getting confused when analysing packets from a NAT device.

Tools

Active fingerprinters:

• Nmap

Passive fingerprinters:

• NetworkMiner
• p0f

See Also

• NAT detection

Links

• Remote OS detection paper