Simple OS fingerprinting (zero tools)

A unique simple way to OS fingerprint with no tools, this can be done using the TTL value of a ping packet, TTL is time to leave, this is the number router hops a packet can take before any other router can stop routing it. When the value gets to zero

OPERATING SYSTEM TTL SIZE
Windows 128
Linux 64
Solaris 255
Cisco / Network 255

os_fingerprinting

Watch the TTL Values 😉 the sites above were picked at random as an example of varying TTL values, there is no particular interest in the sites themselves.

Simon

 

Advertisements

2 thoughts on “Simple OS fingerprinting (zero tools)

  1. 1 question TTL size mentioned above are hard coded ? i mean TTL size is not 255 for solaris.

    Which OS it means when TTL is 51 or 247 ?

    ejhakun@elx74341nqz:~$ ping google.com
    PING google.com (216.58.203.238) 56(84) bytes of data.
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=1 ttl=51 time=297 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=2 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=3 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=4 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=5 ttl=51 time=288 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=6 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=7 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=8 ttl=51 time=288 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=9 ttl=51 time=295 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=10 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=11 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=12 ttl=51 time=288 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=13 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f14.1e100.net (216.58.203.238): icmp_seq=14 ttl=51 time=289 ms
    ^C
    — google.com ping statistics —
    14 packets transmitted, 14 received, 0% packet loss, time 13013ms
    rtt min/avg/max/mdev = 288.691/290.312/297.673/2.604 ms
    ejhakun@elx74341nqz:~$ ping amazon.com
    PING amazon.com (54.239.25.200) 56(84) bytes of data.
    64 bytes from 54.239.25.200: icmp_seq=1 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=2 ttl=224 time=509 ms
    64 bytes from 54.239.25.200: icmp_seq=3 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=4 ttl=224 time=510 ms
    64 bytes from 54.239.25.200: icmp_seq=5 ttl=224 time=507 ms
    64 bytes from 54.239.25.200: icmp_seq=6 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=7 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=8 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=9 ttl=224 time=523 ms
    64 bytes from 54.239.25.200: icmp_seq=10 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=11 ttl=224 time=507 ms
    64 bytes from 54.239.25.200: icmp_seq=12 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=13 ttl=224 time=511 ms
    64 bytes from 54.239.25.200: icmp_seq=14 ttl=224 time=508 ms
    64 bytes from 54.239.25.200: icmp_seq=15 ttl=224 time=509 ms
    ^C
    — amazon.com ping statistics —
    15 packets transmitted, 15 received, 0% packet loss, time 14015ms
    rtt min/avg/max/mdev = 507.724/509.754/523.949/3.994 ms
    ejhakun@elx74341nqz:~$ ping facebook.com
    PING facebook.com (31.13.92.36) 56(84) bytes of data.
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=1 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=2 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=3 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=4 ttl=79 time=555 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=5 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=6 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=7 ttl=79 time=530 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=8 ttl=79 time=536 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=9 ttl=79 time=537 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=10 ttl=79 time=528 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=11 ttl=79 time=531 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=12 ttl=79 time=528 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=13 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=14 ttl=79 time=528 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=15 ttl=79 time=969 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=16 ttl=79 time=544 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=17 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=18 ttl=79 time=531 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=19 ttl=79 time=532 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=20 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=21 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=22 ttl=79 time=530 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=23 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=24 ttl=79 time=528 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=25 ttl=79 time=529 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=26 ttl=79 time=530 ms
    64 bytes from edge-star-mini-shv-01-frt3.facebook.com (31.13.92.36): icmp_seq=27 ttl=79 time=529 ms
    ^C
    — facebook.com ping statistics —
    28 packets transmitted, 27 received, 3% packet loss, time 26996ms
    rtt min/avg/max/mdev = 528.651/548.089/969.794/82.900 ms
    ejhakun@elx74341nqz:~$ ping gmail.com
    PING gmail.com (216.58.203.229) 56(84) bytes of data.
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=1 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=2 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=3 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=4 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=5 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=6 ttl=51 time=293 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=7 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=8 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=9 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=10 ttl=51 time=291 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=11 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=12 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=13 ttl=51 time=291 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=14 ttl=51 time=291 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=15 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=16 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=17 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=18 ttl=51 time=291 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=19 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=20 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=21 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=22 ttl=51 time=290 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=23 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=24 ttl=51 time=293 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=25 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=26 ttl=51 time=289 ms
    64 bytes from sin11s01-in-f5.1e100.net (216.58.203.229): icmp_seq=27 ttl=51 time=291 ms
    ^C
    — gmail.com ping statistics —
    27 packets transmitted, 27 received, 0% packet loss, time 26031ms
    rtt min/avg/max/mdev = 289.350/290.613/293.880/1.157 ms
    ejhakun@elx74341nqz:~$

    Like

    1. TTL also known as time to leave is the life of a packet in the router eco-system, everytime a packet goes through a router the TTL is reduced by a value of one, this continues until it arrives at it’s destination or until the last router makes that value 0 at which point the packet is dropped by that router, this allows for packets that don’t have valid destinations to die instead of float in routing “space” / loops, if your ping returns a TTL of 247 that means that the packet has gone through 255 – 247 = 8 routers to get to you, think of it as a traceroute would have 8 hops, if it is 51 then it means it has most likely gone through 64 – 51 = 13 routers to get to you so the destination is most likely a linux box. 51 could also be from a Windows box 128 – 51 = 77 hops but these are rare cases since 77 hops are rare to ever find and can easily be proven with a traceroute. Please note that these values are not hard coded so one can choose to change the default to hide their operating system but people rarely change these.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s