Passive OS Fingerprinting Update - SANS Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Didier Stevens

Threat Level: green

Passive OS Fingerprinting Update
This tables is an updated summary of Toby Millers paper about Passive OS Fingerprinting. Windows 95, Windows 98 and Windows XP fingerprint were added after some lab experiments. Linux ---------------- Window Size = 5840 (Linux 2.4) or 32120 (Linux 2.2) Initial TTL = 64 IP ID: Increments randomly at the start of each session TCP Options: MSS, SackOK, WindowScale, Timestamp, one NOP Total Packet Length: 60 bytes OpenBSD ---------------- Window Size = 16384 Inital TTL = 64 IP ID: Completely random TCP Options: MSS, SackOK, WindowScale, Timestamp, five NOPs Total Packet Length: 64 bytes TOS = 0x10 FreeBsd ---------------- Window Size = 65535 Initial TTL = 64 IP ID: Increments by 1 TCP Options: MSS, WindowScale, three NOPs, Timestamp (Fisrt three SYN tries) Total Packet Length: 60 bytes (First three SYN tries) TCP Options:MSS (after first three SYN tries) *Total Packet Length: 44 bytes (after first three SYN tries) Solaris 7 ---------------- Window Size = 8760 Initial TTL = 255 IP ID: Increments by one always TCP Options: MSS Total Packet Length: 44 bytes AIX 4.3 ---------------- Window Size = 16384 Initial TTL = 64 IP ID: Increments by one always TCP Options: MSS Total Packet Length: 44 bytes TOS = 0x10 Windows 2000 ---------------- Window Size = 16384 Inital TTL = 128 IP ID: Increments by one all of the time TCP Options: MSS, SackOK, two NOPs Total Packet Length: 48 bytes Windows 98 ------------------ Windows Size= = 8192 Initial TTL = 128 IP ID: Increments by 256 (?) TCP Options: MSS, SackOK, two NOPs Total Packet Lenght: 48 bytes Windows 95 ----------------- Windows Size = 8192 Initial TTL = 32 IP ID: increments by 256 TCP Options: MSS Total Packet Lenght: 44 bytes Windows XP ----------------- Windows Size = 64240 Initial TTL = 128 IP ID: Increments by one TCP Options: MSS, SackOK, two NOPs Total Packet Lenght: 48 bytes References: Toby Miller Original Paper: http://www.sans.org/rr/special/passiveos.php Toby Miller Original Paper - Part 2 http://www.sans.org/rr/special/passiveos2.php Comments: Pedro Paulo Ferreira Bueno bueno@ieee.org	Handlers 76 Posts Jul 10th 2003
Thread locked Subscribe	Jul 10th 2003 1 decade ago