Passive OS Fingerprinting Update
This tables is an updated summary of Toby Millers paper about Passive OS
Fingerprinting.
*Windows 95, Windows 98 and Windows XP fingerprint were added
after some lab experiments.
Linux
----------------
Window Size = 5840 (Linux 2.4) or 32120 (Linux 2.2)
Initial TTL = 64
IP ID: Increments randomly at the start of each session
TCP Options: MSS, SackOK, WindowScale, Timestamp, one NOP
Total Packet Length: 60 bytes
OpenBSD
----------------
Window Size = 16384
Inital TTL = 64
IP ID: Completely random
TCP Options: MSS, SackOK, WindowScale, Timestamp, five NOPs
Total Packet Length: 64 bytes
TOS = 0x10
FreeBsd
----------------
Window Size = 65535
Initial TTL = 64
IP ID: Increments by 1
TCP Options: MSS, WindowScale, three NOPs, Timestamp (Fisrt
three SYN tries)
Total Packet Length: 60 bytes (First three SYN tries)
*TCP Options:MSS (after first three SYN tries)
*Total Packet Length: 44 bytes (after first three SYN tries)
Solaris 7
----------------
Window Size = 8760
Initial TTL = 255
IP ID: Increments by one always
TCP Options: MSS
Total Packet Length: 44 bytes
AIX 4.3
----------------
Window Size = 16384
Initial TTL = 64
IP ID: Increments by one always
TCP Options: MSS
Total Packet Length: 44 bytes
TOS = 0x10
Windows 2000
----------------
Window Size = 16384
Inital TTL = 128
IP ID: Increments by one all of the time
TCP Options: MSS, SackOK, two NOPs
Total Packet Length: 48 bytes
Windows 98
------------------
Windows Size= = 8192
Initial TTL = 128
IP ID: Increments by 256 (?)
TCP Options: MSS, SackOK, two NOPs
Total Packet Lenght: 48 bytes
Windows 95
-----------------
Windows Size = 8192
Initial TTL = 32
IP ID: increments by 256
TCP Options: MSS
Total Packet Lenght: 44 bytes
Windows XP
-----------------
Windows Size = 64240
Initial TTL = 128
IP ID: Increments by one
TCP Options: MSS, SackOK, two NOPs
Total Packet Lenght: 48 bytes
References:
Toby Miller Original Paper:
http://www.sans.org/rr/special/passiveos.php
Toby Miller Original Paper - Part 2
http://www.sans.org/rr/special/passiveos2.php
Comments:
Pedro Paulo Ferreira Bueno
bueno@ieee.org
Fingerprinting.
*Windows 95, Windows 98 and Windows XP fingerprint were added
after some lab experiments.
Linux
----------------
Window Size = 5840 (Linux 2.4) or 32120 (Linux 2.2)
Initial TTL = 64
IP ID: Increments randomly at the start of each session
TCP Options: MSS, SackOK, WindowScale, Timestamp, one NOP
Total Packet Length: 60 bytes
OpenBSD
----------------
Window Size = 16384
Inital TTL = 64
IP ID: Completely random
TCP Options: MSS, SackOK, WindowScale, Timestamp, five NOPs
Total Packet Length: 64 bytes
TOS = 0x10
FreeBsd
----------------
Window Size = 65535
Initial TTL = 64
IP ID: Increments by 1
TCP Options: MSS, WindowScale, three NOPs, Timestamp (Fisrt
three SYN tries)
Total Packet Length: 60 bytes (First three SYN tries)
*TCP Options:MSS (after first three SYN tries)
*Total Packet Length: 44 bytes (after first three SYN tries)
Solaris 7
----------------
Window Size = 8760
Initial TTL = 255
IP ID: Increments by one always
TCP Options: MSS
Total Packet Length: 44 bytes
AIX 4.3
----------------
Window Size = 16384
Initial TTL = 64
IP ID: Increments by one always
TCP Options: MSS
Total Packet Length: 44 bytes
TOS = 0x10
Windows 2000
----------------
Window Size = 16384
Inital TTL = 128
IP ID: Increments by one all of the time
TCP Options: MSS, SackOK, two NOPs
Total Packet Length: 48 bytes
Windows 98
------------------
Windows Size= = 8192
Initial TTL = 128
IP ID: Increments by 256 (?)
TCP Options: MSS, SackOK, two NOPs
Total Packet Lenght: 48 bytes
Windows 95
-----------------
Windows Size = 8192
Initial TTL = 32
IP ID: increments by 256
TCP Options: MSS
Total Packet Lenght: 44 bytes
Windows XP
-----------------
Windows Size = 64240
Initial TTL = 128
IP ID: Increments by one
TCP Options: MSS, SackOK, two NOPs
Total Packet Lenght: 48 bytes
References:
Toby Miller Original Paper:
http://www.sans.org/rr/special/passiveos.php
Toby Miller Original Paper - Part 2
http://www.sans.org/rr/special/passiveos2.php
Comments:
Pedro Paulo Ferreira Bueno
bueno@ieee.org
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments