Techniques to Determine Operating System

Attackers use various internet tools, including Netcraft, Shodan, Nmap, and Censys, and tactics to identify the target organization's operating system. Such information also helps attackers spot potential weaknesses and discover efficient strategies to attack the target. 

One of the key steps an attacker must take to compromise a target is determining which operating system is the target. Different operating systems can communicate with one another in a network thanks to the implementation of various standards. The OS operating on the target system can be identified by looking at specific parameters/fields in the IP header, such as TTL and TCP Windows Size. These values differ amongst OSs, as the accompanying table explains.

Operating System Time to Live TCP Windows Size
Linux (Kernel 2.4 and 2.6) 64 5840
Google Linux 64 5720
FreeBSD 64 65535
OpenBSD 64 16384
Windows 95 32 8192
Windows 2000 128 16384
Windows XP 128 65535
Windows 98, Vista, and 7 128 8192
iOS 12.4 (Cisco Router) 255 4128
Solaris 7 255 8760
AIX 4.3 64 16384


  • The ping command can sometimes provide clues about the OS running on a remote host based on how it responds to various ICMP packets. For example, different OSs may have different TTL (Time To Live) values, which can be used for OS fingerprinting.
  • Connecting to a network service (such as a web server or FTP server) and examining the banners or answers it provides is known as "banner grabbing". The OS and version operating on the target system may be revealed by the information in these banners.
  • Active Fingerprinting Tools like p0f and Xprobe2 perform active OS fingerprinting by sending specially crafted packets to a target and analyzing the responses to determine the OS and sometimes even the version.
  • Passive Fingerprinting techniques involve observing network traffic patterns and characteristics without actively probing the target. Tools like p0f can also be used for passive fingerprinting.
  • Sometimes, information about the client's OS and browser can be found in the HTTP User-Agent Strings header, which is used in web application security analyses. OS detection can be done using this information.
  • Port Scanning tools like Netcat or Masscan can be used to identify open ports on a target system. The combination of open ports and known services running on them can provide clues about the underlying OS.
  • Performing a reverse DNS lookup on an IP address can sometimes reveal the hostname associated with it. The hostname may reveal information about the OS or the company.
  • The OS of a server can occasionally be determined by looking at DNS records and historical data based on the domain or subdomain names.
  • Machine Learning-Based Techniques: Some advanced OS detection methods use machine learning algorithms to analyze network traffic patterns and make predictions about the underlying OS.


Netcraft: Attackers use the Netcraft tool to identify all the sites associated with the target domain along with the operating system running at each site. 

Shodan is a computer search engine that searches the Internet for connected devices (routers, servers and IoT). You can use Shodan to discover which devices are connected to the Internet, where they are located, and who is using them. 

Nmap, short for Network Mapper is a free and open-source command-line (CLI) tool for network discovery and security assessment. In Nmap, the -o option is used to perform OS discovery, which displays the OS details of the target machine. Nmap Script Engine (NSE) can also be used, smb-os-discovery is an inbuilt script used for collecting OS information through SMB protocol. In Nmap, the -sC option can be used to activate NSE scripts.  

Wireshark: Capture the response generated from the target machine and observe the TTL and Window Size fields in the first captured TCP Packet. By comparing these values with those in the above table, you can determine the target OS.

Censys monitors the infrastructure and discovers unknown assets anywhere on the Internet. It provides a full view of every server and device exposed to the Internet. Attackers use this program to keep an eye on the target IT infrastructure and find all the devices connected to the internet, as well as information about them such as the operating system, IP address, protocols, and location.

p0f v3 is a well-known sniffer that uses a vast array of complex methods to examine intercepted packets and OS fingerprints. The creators claim that p0f v3 can identify the operating system running on a distant computer even when Nmap is unable to do so (for example, when the network is firewalled).

X probe is the active fingerprinting technique tool similar to Nmap's approaches and use cases. Most notably, the X probe may identify suspicious nodes with altered TCP/IP stack configurations as well as honeypots (i.e., decoy servers used to entice and expose unwary hackers).

Unicornscan: the OS can be identified by observing the TTL values in the acquired scan results. To perform Unicornscan, the syntax #unicornscan <target_ip>.

Ettercap is a sniffer that is widely known in hackers’ narrow circles as a tool frequently used for MiTM attacks. Ettercap supports nearly all Linux versions (except for OpenSuSe) and UNIX/BSD platforms (except for Solaris). Some geniuses have reportedly launched Ettercap on macOS, but their names are kept secret for security reasons.

    It's vital to remember that OS detection may not always be precise because it depends on several variables that the target system may change or conceal. Additionally, ethical considerations and legal regulations must be followed when performing OS detection on remote systems, especially those not under your control. Before engaging in any network scanning or probing operations, always be sure you have the right authorization.

    We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible.

    No comments:

    Post a Comment