A brief overview


When probing a system for vulnerabilities it is important to know as much about the system as possible. The more you know about the system, the better the understanding you have of how it operates. By knowing this, you in turn have a much better idea on what could be wrong with
the system. One of the most important piece of information on the system to know is the operating system. This article will give you an insight into detecting the operating system of a remote system, and a brief look into the techniques used. Neither me, Hackthissite.org or anyone else is responsible with what you do with this information, except you. The information in this article has been adapted from Hacking Exposed - Network Security Secrets & Solutions by Stuart McClure, Joel Scambray and George Kurtz.

-Active Operating System Detection

Active operating system detection involves actively communicating with the target system. This means that the attacker will send certain packets to the system in order to resolve what operating system is running, or at least an educated guess. This can be done in many ways, but the two main ways are banner grabbing and active stack fingerprinting. I will give a brief overview of both.

- Banner Grabbing

Banner grabbing is the process of simply connecting to a service and analysing the response from that service. The information sent back can show the attacker what process is running and its version. Not only does this help narrow down the operating system being run on the system, but it also tells the attacker whether the system is running vulnerable applications. This can be achieved in many ways, I will show how to use Telnet to do this as many people here don't know how useful it can be. However there are better methods such as using Netcat for example. Netcat in particular can give more information then Telnet at times.

Ok, the first thing to do when banner grabbing with Telnet is to open Konsole, Terminal, Command Prompt or whatever and type the following command:

telnet host port

Then press enter a few times to get a response. It's as easy as that. So for example, after port scanning a machine, the attacker finds that port 21 is open on the machine and wants to know what ftp application it's running. The attacker simply enters the following command:

telnet www.victim.com 21

And get a response like the following:

220 ProFTPD FTP Server ready.

The attacker now knows what ftp server the victim is using, and can search for vulnrabilities for it. However, the attacker hasn't got a version number this time. A better tool for banner grabbing is Netcat.

Netcat can sometimes give more information about the target system than Telnet. To use Netcat (after downloading it) to grab a banner on port 80 of a system, the attacker uses the following command:

nc -v host port

Then, the attacker simply either presses enter a few times to generate output, or failing this, enter "GET / HTTP/1.0" with a few more enters after to get a response. For example, using this banner grabbing technique on HTS would look like this:

nc -v hackthissite.org 80 [enter]
GET HTTP / HTTP/1.0 [enter]

The server then sent back:

HTTP/1.1 200 OK
Date: Thu, 31 May 2007 03:00:46 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 with Suhosin-Patch
X-Powered-By: PHP/5.2.0
Connection: close
Content-Type: text/html

The attacker has successfully got the http server application name and version, PHP's version and patch (I believe?), and that it's Unix based. The attacker would now look for vulnrabilities in these technologies and use them against the target. (Providing he/she can find new vulnrabilities (or existing) in them).

Banner grabbing can be very useful when trying to actively detect operating systems. However, a more accurate technique exists. I will now discuss the second method, Active Stack Fingerprinting.

-Active Stack Fingerprinting

Stack Fingerprinting is the method of distinguishing an operating system by analysing the IP stack implementation of a system. This is because each "vendor" interprets RFC guidance differently to other vendors when creating their own TCP/IP stack. This means that an attacker can make a rather accurate guess at what operating system is being used by a system by probing the system for these differences.

Hacking Exposed : Network Secrets & Solutions has a great definition of some probes which can be sent to discover what operating system is being used. These are usually used together to narrow the possible operating system down as much as possible. These probes are as follows (Largely ADAPTED from the book mentioned):


Fin Probe - A FIN packet is sent to an open port. RFC states that this should be ignored, however many stack implementations respond with a FIN / ACK. These include Windows NT/2000/2003.

Bogus Flag Probe - An undefined TCP flag is set in the TCP header of a SYN packet. This can be used to identify a system as some operating systems reply with a response with the same flag set. This includes Linux.

ISN Sampling - Initial Sequence Number sampling is the method in which the pattern in the initial sequence chosen by the TCP implementation, which further narrows the operating system range as this differs per operating system.

Don't Fragment Bit Monitoring - Some operating systems use the "Don't Fragment Bit" option in order to increase performance. By monitoring whether this is set in the response, we can see further narrow down the operating system range.

TCP Initial Window Size - The initial window size on returned packets is unique for some stack implementations. Therefore, tracking this can greatly help us deduce what operating system is being run.

ACK Value - The sequence value used for the ACK field differs in IP stack implementations. Therefore, some will respond with the same sequence number that was sent to them, yet some will send back the sequence number + 1.

ICMP Error Message Quenching - Some operating systems follow the RFC recommendation and limit the rate at which error messages are sent. This can be tested by sending UDP packets to high number ports and then counting the number of error messages received in a certain
duration of time.

ICMP Message Quoting - Analysing the amount of quoted information from ICMP errors helps narrow the operating system range as operating systems differ in amount quoted.

ICMP Error Message-Echoing Integrity - When ICMP error messages are returned, their IP headers can be analysed for changes made by the operating system, as they differ.

Type of Service - This method includes examining the Type of Service in ICMP port unreachable error messages. This is because most stack implementations use 0, but others sometimes vary.

Fragmentation Handling - This method is based on the fact that different stack implementations handle overlapping fragments differently. The reassembled fragmented probe packets are examined to see how they were reassembled, as some stacks will overwrite the old data with the
new data, but some will do the opposite.

TCP Options - This method works by sending a packet with lots of options set. This helps us because we know that the more advanced options are normally implemented in the most current stack implementations. From this, we are able to make more assumptions about the operating
system used.


Wow, lots of information there. I have added to this information to try and make it easier to understand (I have trouble understanding some parts) (which is why I said "adapted" instead of "from")

So, how does the attacker use this to prove the operating system? Well he/she could probably craft the packets themselves and use a packet sniffer to record the result, or they could use a tool to do it for them. Such a tool is Nmap (go get it if you don't have it). Nmap uses almost all of the methods shown in the table-like thing above in order to make the most accurate guess it can as to which operating system is being run. The attacker does this using a very simple command as shown below:

nmap -O host

Nmap will then proceed to use the methods shown above to try and deduce the operating system on the host (expect fragmentation handling and ICMP error message queuing). An example could look as follows:

nmap -O [enter]
Starting Nmap 4.21ALPHA4 ( http://insecure.org ) at 2007-05-31 02:03 GMT Standard Time
Interesting Ports on
Not shown: 1698 filtered ports
25/tcp open smtp
53/tcp closed domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
Device type: general purpose
Running: Linux 2.4.X|2.6.X
OS details: Linux 2.4.20 - 2.4.22, Linux 2.6.10 - 2.6.11

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 114.445 seconds

The attacker has now gained a highly accurate guess as to what operating system is being used by the target, which in this case was guessed as being Linux 2.4.20 - 2.4.22, Linux 2.6.10 - 2.6.11. This occurrence of nmap's stack fingerprint method was very accurate. However, this is only so because there was an open port. On machines which have no open ports, nmap will be a lot less reliable. It will however, still attempt to guess the operating system in use.

Now that the attacker has an educated guess of the operating system in use, he/she can try to exploit it. The attacker will also have a much better idea of what applications will be being used on the system, and generally how secure it is (by the version).

-Passive Stack Fingerprinting

Active operating system identification, as mentioned earlier, involves sending packets to the target in order to guess the operating system in use. However, because packets are sent to the target, an intrusion detection system can quite easily figure out that the attacker is attempting an Operating system identification probe. So what can the attacker do to be more sneaky? Use passive stack fingerprinting.

This method is more stealthy and less detectable than the active "version" because the attacker does not send packets to the system to determine the operating system. Instead, the attacker simply "passively" monitors the targets traffic. (NOTE: The attacker will have to be in "a central location on the network and on a port that allows packet capture" - Hacking Exposed)

When monitoring the traffic, the attacker will analyse several attributes of a TCP/IP session. For example, the attacker will take note of the TTL (the time to live set on the packet by the operating system), the Window Size (the default window size set by the operating system), and the state of the DF (If the operating system sets the Don't Fragment bit or not). Because stack implementations differ between operating systems, the attacker can use the results to deduce the operating system being run on the target machine. This is not as accurate as active stack fingerprinting, and is harder to achieve, but is more likely to get past and IDS that may be in place on the network.

Well, that's about it. I suppose I should give a list of tools you can use:

-Nmap -For port scanning, and Active stack fingerprinting (along with tons of other uses)
-NetCat -Great multi-purpose tool. Used in this article for banner grabbing
-Queso -OS Detection
-Wireshark (ethereal) -Packet sniffer
-Siphon -port mapping, passive OS detection and network topology tool

Thanks for reading.

NOTE: As I said, I ADAPTED this information from the book mentioned. This is basically my understanding of it, so please, limit the posts which read "OMGZ U LEIK COPIED!!1!"!. Also note that I'm freakin tired, so there's bound to be errors and spelling mistakes. Please correct any incorrect assumptions or inane ramblings.

Information adapted from Hacking Exposed (- Stuart McClure, Joel Scambray and George Kurtz) and http://insecure.org/nmap/osdetect/ (- Fyodor). The latter is a much more in depth and detailed article on OS detection than this article. So if you're interested, or you find my article to be missing parts or just shit, read that paper!