Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-07-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Passive OS Fingerprinting Update

Published: 2003-07-10
Last Updated: 2003-07-10 20:04:35 UTC
by Handlers (Version: 1)
0 comment(s)
This tables is an updated summary of Toby Millers paper about Passive OS
Fingerprinting.

*Windows 95, Windows 98 and Windows XP fingerprint were added
after some lab experiments.

Linux

----------------

Window Size = 5840 (Linux 2.4) or 32120 (Linux 2.2)

Initial TTL = 64

IP ID: Increments randomly at the start of each session

TCP Options: MSS, SackOK, WindowScale, Timestamp, one NOP

Total Packet Length: 60 bytes
OpenBSD

----------------

Window Size = 16384

Inital TTL = 64

IP ID: Completely random

TCP Options: MSS, SackOK, WindowScale, Timestamp, five NOPs

Total Packet Length: 64 bytes

TOS = 0x10
FreeBsd

----------------

Window Size = 65535

Initial TTL = 64

IP ID: Increments by 1

TCP Options: MSS, WindowScale, three NOPs, Timestamp (Fisrt
three SYN tries)

Total Packet Length: 60 bytes (First three SYN tries)

*TCP Options:MSS (after first three SYN tries)

*Total Packet Length: 44 bytes (after first three SYN tries)
Solaris 7

----------------

Window Size = 8760

Initial TTL = 255

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes
AIX 4.3

----------------

Window Size = 16384

Initial TTL = 64

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes

TOS = 0x10
Windows 2000

----------------

Window Size = 16384

Inital TTL = 128

IP ID: Increments by one all of the time

TCP Options: MSS, SackOK, two NOPs

Total Packet Length: 48 bytes
Windows 98

------------------

Windows Size= = 8192

Initial TTL = 128

IP ID: Increments by 256 (?)

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes
Windows 95

-----------------

Windows Size = 8192

Initial TTL = 32

IP ID: increments by 256

TCP Options: MSS

Total Packet Lenght: 44 bytes
Windows XP

-----------------

Windows Size = 64240

Initial TTL = 128

IP ID: Increments by one

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes
References:

Toby Miller Original Paper:

http://www.sans.org/rr/special/passiveos.php

Toby Miller Original Paper - Part 2

http://www.sans.org/rr/special/passiveos2.php
Comments:

Pedro Paulo Ferreira Bueno

bueno@ieee.org
Keywords:
0 comment(s)
Diary Archives