Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Passive OS Fingerprinting Update SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Passive OS Fingerprinting Update
This tables is an updated summary of Toby Millers paper about Passive OS
Fingerprinting.

*Windows 95, Windows 98 and Windows XP fingerprint were added
after some lab experiments.

Linux

----------------

Window Size = 5840 (Linux 2.4) or 32120 (Linux 2.2)

Initial TTL = 64

IP ID: Increments randomly at the start of each session

TCP Options: MSS, SackOK, WindowScale, Timestamp, one NOP

Total Packet Length: 60 bytes
OpenBSD

----------------

Window Size = 16384

Inital TTL = 64

IP ID: Completely random

TCP Options: MSS, SackOK, WindowScale, Timestamp, five NOPs

Total Packet Length: 64 bytes

TOS = 0x10
FreeBsd

----------------

Window Size = 65535

Initial TTL = 64

IP ID: Increments by 1

TCP Options: MSS, WindowScale, three NOPs, Timestamp (Fisrt
three SYN tries)

Total Packet Length: 60 bytes (First three SYN tries)

*TCP Options:MSS (after first three SYN tries)

*Total Packet Length: 44 bytes (after first three SYN tries)
Solaris 7

----------------

Window Size = 8760

Initial TTL = 255

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes
AIX 4.3

----------------

Window Size = 16384

Initial TTL = 64

IP ID: Increments by one always

TCP Options: MSS

Total Packet Length: 44 bytes

TOS = 0x10
Windows 2000

----------------

Window Size = 16384

Inital TTL = 128

IP ID: Increments by one all of the time

TCP Options: MSS, SackOK, two NOPs

Total Packet Length: 48 bytes
Windows 98

------------------

Windows Size= = 8192

Initial TTL = 128

IP ID: Increments by 256 (?)

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes
Windows 95

-----------------

Windows Size = 8192

Initial TTL = 32

IP ID: increments by 256

TCP Options: MSS

Total Packet Lenght: 44 bytes
Windows XP

-----------------

Windows Size = 64240

Initial TTL = 128

IP ID: Increments by one

TCP Options: MSS, SackOK, two NOPs

Total Packet Lenght: 48 bytes
References:

Toby Miller Original Paper:

http://www.sans.org/rr/special/passiveos.php

Toby Miller Original Paper - Part 2

http://www.sans.org/rr/special/passiveos2.php
Comments:

Pedro Paulo Ferreira Bueno

bueno@ieee.org
 Handlers

76 Posts
Jul 10th 2003
Subscribe Jul 10th 2003
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!