SEARCH

How-To Geek

Hacker Geek: OS Fingerprinting With TTL and TCP Window Sizes

sshot-1

Did you know that you can find out which operating system a networked device is running just by looking at the way it communicates on the network? Let’s take a look at how we can discover what operating system our devices are running.

Why Would You Do This?

Determining what OS a machine or device is running can be useful for many reasons. First lets take a look at an everyday perspective, imagine you want to switch to a new ISP who offers uncapped internet for $50 a month so you take a trial of their service. By using OS fingerprinting you will soon discover that they have rubbish routers and offer a PPPoE service offered on a bunch of Windows Server 2003 machines. Doesn’t sound like such a good deal anymore, huh?

Another use for this, albeit not so ethical, is the fact that security holes are OS specific. For example, you do a port scan and find port 53 open and the machine is running an outdated and vulnerable version of Bind, you have a SINGLE chance to exploit the security hole since a failed attempt would crash the daemon.

How Does OS Fingerprinting Work?

When doing passive analysis of current traffic or even looking at old packet captures, one of the easiest, effective, ways of doing OS Fingerprinting is by simply looking at the TCP window size and Time To Live (TTL) in the IP header of the first packet in a TCP session.

Here are the values for the more popular operating systems:

Operating System Time To Live TCP Window Size
Linux (Kernel 2.4 and 2.6) 64 5840
Google Linux 64 5720
FreeBSD 64 65535
Windows XP 128 65535
Windows Vista and 7 (Server 2008) 128 8192
iOS 12.4 (Cisco Routers) 255 4128

The main reason that the operating systems have different values is due to the fact  that the RFC’s for TCP/IP don’t stipulate default values. Other important thing to remember is that the TTL value will not always match up to one in the table, even if your device is running one of the listed operating systems, you see when you send an IP packet across the network the sending device’s operating system sets the TTL to the default TTL for that OS, but as the packet traverses routers the TTL is lowered by 1. Therefore, if you see a TTL of 117 this can be expected to be a packet that was sent with a TTL of 128 and has traversed 11 routers before being captured.

Using tshark.exe is the easiest way to see the values so once you have got a packet capture, make sure you have Wireshark installed, then navigate to:

C:\Program Files\

Now hold the shift button and right-click on the wireshark folder and select open command window here from the context menu

sshot-2

Now type:

tshark -r "C:\Users\Taylor Gibb\Desktop\blah.pcap" "tcp.flags.syn eq 1" -T fields -e ip.src -e ip.ttl -e tcp.window_size

Make sure to replace “C:\Users\Taylor Gibb\Desktop\blah.pcap” with the absolute path to your packet capture. Once you hit enter you will be shown all the SYN packets from your capture an easier to read table format

image

Now this is a random packet capture I made of me connecting to the How-To Geek Website, amongst all the other chatter Windows is doing I can tell you two things for sure:

  • My local network is 192.168.0.0/24
  • I am on a Windows 7 box

If you look at the first line of the table you will see I am not lying, my IP address is 192.168.0.84 my TTL is 128 and my TCP Window Size is 8192, which matches up to the values for Windows 7.

The next thing I see is a 74.125.233.24 address with a TTL of 44 and a TCP Window Size of 5720, if I look at my table there is no OS with a TTL of 44, however it does say that the Linux that Google’s servers run have a TCP Window Size 5720.  After doing a quick web search of the IP address you will see that it is in fact a Google Server.

sshot-4

What else do you use tshark.exe for, tell us in the comments.

Taylor Gibb is a Microsoft MVP and all round geek, he loves everything from Windows 8 to Windows Server 2012 and even C# and PowerShell. You can also follow him on Google+

  • Published 02/1/12

Comments (21)

  1. Denis

    Thanks! Wery usefull tip. Never used any exept Wireshark.exe

  2. Hillmi

    Nice job giving young hackers some basic training!

  3. Jasper

    So – how I can change it on Windows 7 Ultimate ? Any old-school reg hacks ?

  4. Charlotte

    Hi! I’m confused. I joined recently to gain more computer knowledge that I knew your site supplies but are you also helping those who steal information? There are a lot of not so savy computer users (like myself) that don’t understand if this article is to help hackers, or to help us protect our computers from hackers stealing our information?

    Thanks for letting me comment.

  5. TheFu

    I think ‘nmap’ does a pretty good job at OS and device detection in a single command and is pretty easy to use.

    $ sudo nmap -O -v -sV 192.168.0.0/24

    It needs to run as Administrator on Windows. Sometimes I forget what devices are running on the network. This is an easy way to be reminded.

    nmap has all sorts of other uses too.

  6. Scarab

    @Charlotte , you’re in the wrong place to ‘learn how to keep hackers out’. The biggest flaw with a computer is YOU! You can be social engineered using XSS with ease (based on your ignoramus comment).

    @TheFu , you’re right on track my friend. Nmap would be the obvious choice for for doing a little digging. However, this will work at any workstation you sit down at (provided you can get access to cmd).

  7. Karan

    Very good article. Explains the basics of packet capturing syn and ack. Well mostly syn.
    And Great beginners table for the OS tcp window size.

    Keep up the good work.

  8. Harbicool

    I agree with TheFu nmap does a pretty good job along with more details of the OS version and others stuff, also there is another one i guess called fing-overlook tool for network and service discovery able to detect the OS over network.

    Thank you

  9. chen

    My doubt is that if there is firewall installed on a system, will the firewall alert be triggered when nmap or tshark is used against the system?

  10. James

    Charlotte,

    Hackers aren’t necessarily aren’t out to steal your information, ruin your computer or other stupid things.

    Please, follow this link: http://www.hackingisnotacrime.org

    Thanks.

  11. Harbicool

    @chen if your question about the OS fingerprint I believe nmap will analyze the TCP ACK and sequence number generator, if this is disabled or blocked by the firewall and no acknowledgment happens the packet simply will be dropped.

  12. DJMullen

    @Charlotte I have to agree with Scarab. You are in the WRONG place. By the comment you left, I can tell you are a USER

  13. RandomInternetUser

    Wow that’s pretty cool. Thanks. I’m used to using Nmap for this but this will come in real handy. ;)
    Thanks!

  14. Taylor Gibb

    @all the people who say nmap is better, as far as i know you cant use nmap to analyze a pcap file, in other word you can only use it on live traffic? i will cover nmap in an upcoming article. :)

  15. nothing

    @charlotte – please excuse Scarab’s poor tact, because whilst he said it in a somewhat offensive manner, his point was correct. Fingerprinting an OS to find vulnerabilities is a very inefficient way to compromise end users. People who wish to attack end users’ computers primarily want to gather information from very large groups of them, because the amount of money that can be made from a single one is usually small.

    Therefore, as an end user, you are most at risk from malware attacks that trick you into opening an attachment or clicking a link that compromises your computer. The kind of attack described here is more pertinent to content providers than content consumers like yourself; an attacker would use this method to compromise a website that you might visit and plant a virus to infect every visitor’s machine rather than just your own.

    The article is therefore of use to the content providers who wish to better understand how to protect their systems from being used against their customers (and of course it’s of use to the people who want to attack those systems).

    Thanks for the article TG :)

  16. Greg

    Some of you may find this interesting as well:
    https://share.sandia.gov/news/resources/releases/2006/images/wireless-fingerprinting.pdf

    Or just google for:
    Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

  17. Charlotte

    Thanks for all the comments, especially the nicer ones. It is true, I’m totally out of my element and I am absolutely lost but will get there. Not where most of you are, but I’ll get there in managing my own computer. I thought this website would be a learning tool for me but I believe I am definitely in the wrong place. You folks really seem to know your stuff. Keep up the good work. Guess some computer classes are in the near future for me on the basics. Take care. :)

  18. Knarkill

    Charlotte – NEVER STOP ASKING QUESTIONS!!!!

    Don’t listen to the negative. Negative comments tell you the responders’ age, much like this article shows you what OS(operating system) is being used. Everyone here was new to computers at one point, its just that some of these guys/gals have nothing else in their lives to do and try to fill the hole in their lives by being “above” you. Usually they’re just what we call “Script Kiddies”(google this term) and really don’t know much, so don’t get frustrated and never give up.

    You are doing the right thing by trying to learn for yourself. Although some articles may be too much at first….you can google the terms you don’t understand and maybe just learn a little here and there. Community Colleges might have some courses that could really help your understanding.
    Remember the whole point of this web site is too teach and spark interest in IT. If they knew everything then why would they need to join this site?

    What they didn’t tell you about hacking is the truth. Crackers are people who hack with a malicious intent. Hackers use these tools to test the security of their own networks. If I run a bank, I have to test my security to see where the vulnerabilities are so I can correct it. Hacker is a miss used term!!! Hacker does not necessarily mean a bad thing.
    These tools are really used to probe networks to map out the network and find as much info you can to decide what the best angle for an attack is. These tools are for “recon”. At no point has this site every truly shown anyone how to maliciously do anything.

    Good luck, and never let anyone tell you what you can and can’t do.

    Sincerely,
    Knarkill ——> White Hat (google this term and more of my explanation might make more sense.)

  19. Charlotte

    Thank you so much, Knarkill. I appreciate your help and explanations, etc. I am going to print your comment out and I want to take some computer courses to help me learn also. I never realized what a world of knowledge there is to learn in the computer world but I’m beginning to grasp it slowly.

    Again, thank you. Take care.

  20. Keith Schmidt

    Charlotte,
    First of all, kudos to “Knarkill” for saying never stop asking questions! Articles like these are not intended to be an education for young hackers. There’s a plethora of information out there accessible to anyone able to utilize a search engine and type “hacking”, “hacking tools”, etc.
    It’s one thing to be able to follow a how-to article on how to forward ports for a game the requires such a thing (and if you don’t even know what that means, it doesn’t matter). It’s a higher accomplishment to read several such articles, understand how ports work and better secure your system.
    As an example, I play an online game that requires me to forward ports on my router. I could have simply followed step-by-step instructions on some website to allow me to do such a thing. My existing knowledge, however, would allow me -if I was so inclined- to block the port for voice chat in the game should I deem the things I hear to be unfit for someone younger playing the game. My existing knowledge also allows me to watch a television show in real-time on my laptop during breaks at school through my home computer (which would be impossible if the school blocked a certain port).
    I really have to say that people that read these types of articles are generally the type of people that are always looking for solutions to problems that don’t exist (and that ROCKS!). They want to know and they’re quest for knowledge in their field of interest can be unquenchable.
    A lot of people buy a router, (simply) plug it in and let it go. After reading a few articles on how easy it is to “crack” -using another definition of the word- WEP encryption and/or “WiFi Protected Access” will make those same people change some settings and alter their practices.
    I hope my comment makes sense.

    *** (btw, a cracker is not a hacker who hacks with malicious intent. A “cracker” has always been regarded as someone who removes the copy-protection from software. There’s other terms, such as “phreak”, who is someone who likes to explore with and play with telecom equipment (i.e. in years gone by, you could build a “blue box” with plans easily obtained and parts readily bought at Radio Shack that would emit a 2600Hz tone into a telephone line allowing the user to drop into a “trunk”, essentially acquiring the capabilities of a telephone operator, although you needed additional tones to perform operator-like abilities)). But I digress. “Knarkill” is right on target.

    Best Regards,
    Keith A. Schmidt

  21. C

    The author of this post should read this:
    http://nmap.org/book/osdetect-methods.html#osdetect-w

    Or, in other words, your TTL values (eg for Linux) are wrong. In fact, there can be multiple values for at least one OS and I’ve seen many on my linux machines (and if you aren’t counting defaults, then its even more as I’ll quote from the man page of tcp) at end (marked *). Indeed these are useful but they are not the only thing that can guarantee this OS or that OS. If you were to rely only on that you’d have a lot of false positives. As nmap osscan also suggests, having at least one open port and one closed port (as opposed to filtered) is useful.

    Now, as for Keith. Sorry to burst your bubble, but you’re simply wrong about ‘cracker’. By you saying that, you’re saying that context is not important. Now, if we decide context is not important, then you can just as well say cracker is a food and nothing else (or something else -whichever comes to mind first). Your definition would be more like reverse engineering. However, because context is important, and because we all know there’s more than one type of engineering, that doesn’t mean it’s only that, does it? (Cracker can mean what you say but its not only that!) Thought as much. So, put another way, anyone who has been even slightly in the ‘dark’ side of computer security in the past 20-30 years would know your claim is complete nonsense. In fact, anyone who is older than say 15 (and that is not very generous: it could be much lower) would know that there’s different reasons people do different things. Context is important!

    Fact is, de facto or not, cracker DOES mean what you said it does not. Wiki knows that, the H/P community knows that, the Hacker FAQ even knows it… The term has been around for at least 20 years… as that definition. You know what they also know (here’s a key thing)? They also know that many don’t know that and use the term hacker for malicious intent. Yet, if you think about it and go back in time, you’d know that hacker started out as a good thing, not as a bad thing. Matter of fact, if it weren’t for them, you wouldn’t be typing this on the internet, that much I do know… Just because there exists some bad people doesn’t mean there aren’t good people (and the reverse is true too). There are many more examples and analogies. However, I’ll end it with saying: You’re basically saying (or implying) in a rather indirect way that synonyms shouldn’t exist (and that you should only have one word for one thing).

    I quote from the jargon file:
    “One who breaks security on a system. Coined ca. 1985 by hackers in defense against journalistic misuse of hacker (q.v., sense 8). An earlier attempt to establish worm in this sense around 1981–82 on Usenet was largely a failure.

    Use of both these neologisms reflects a strong revulsion against the theft and vandalism perpetrated by cracking rings. The neologism “cracker” in this sense may have been influenced not so much by the term “safe-cracker” as by the non-jargon term “cracker”, which in Middle English meant an obnoxious person (e.g., “What cracker is this same that deafs our ears / With this abundance of superfluous breath?” — Shakespeare’s King John, Act II, Scene I) and in modern colloquial American English survives as a barely gentler synonym for “white trash”.”

    *TCP dynamically adjusts the size of the receive buffer from the defaults listed below, in the range of these values, depending on memory available in the system.
    *TCP dynamically adjusts the size of the send buffer from the default values listed below, in the range of these values, depending on memory available.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!