APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Remote OS fingerprinting

Girish Venkatachalam

Girish Venkatachalam is a UNIX hacker with more than a decade of networking and crypto programming experience. His hobbies include yoga,cycling, cooking and he runs his own business. Details here:



What is meant by OS fingerprinting?

It must be familiar to UNIX geeks. There are popular tools like nmap that help you identify which hosts run Windows and which hosts run Linux. This can be as specific as even getting to know if a patch or service pack in Windows was installed.

But there is a problem with nmap OS fingerprinting as it uses active fingerprinting. Not a great idea. We want to use passive OS fingerprinting. In passive OS fingerprinting we rely on TCP SYN packets from the remote host to identify the OS. This is quite reliable though it can be trivially spoofed. I would imagine that if we use passive OS fingerprinting we can be reasonably sure about the remote OS.

It can be used as a policy tool to implement firewalling that can protect us against Windows worms or viruses. We can have a logical separation between Windows hosts and other hosts.

Passive OS fingerprinting can help us in many other ways too. We can find out many things that are hidden from the eyes of systems administrators. A tool called p0f is famous for doing passive OS fingerprinting correctly. And OpenBSD pf, the firewall in OpenBSD has inbuilt ability to do fingerprinting. You can also change the string that it displays for identifying the OS by specifying it in a file /etc/pf.os on any OpenBSD machine.

p0f and OpenBSD pf both use the TCP default Window size, time to live, the presence of absence of the DF(dont fragment) bit in IP header, the size of the SYN packet and the options in TCP header to identify the remote OS through passive fingerprinting.

You can identify what software people have installed by looking at the greeting message of TCP protocols by simply connecting to them with netcat. You can know if people use sendmail, postfix or MS Exchange. You can identify the OpenSSH version, you can know which web server people use and many other networking forensic data can be collected.

If you wish to know the countries that hit your web server, then GeoIP can help you lookup IP address and know where the ISP is located. This is not accurate as most free tools don't have the correct database. You have to do some crosschecks before arriving at the right tool.

Network forensic analysis is towing the thin line between hacking and cracking. We are not interested in prying into other people's or other network's innards. But you can use such tools for several useful applications without intruding into other's privacy.

Network scanning is also useful to know which services are running on UNIX hosts and request users to turn off harmful services. NAT is a blessing in disguise because most machines are not accessible to the big bad Internet. If that were not the case we would be having a lot more attacks than now.


  1. nmap homepage
  2. p0f homepage
  3. OpenBSD pf FAQ

Got something to add? Send me email.

1 comment

Increase ad revenue 50-250% with Ezoic

More Articles by © Girish Venkatachalam

Tue Sep 1 03:16:55 2009: 6830   xnih

p0f is a good start but only touches on TCP Syn/Ack/Reset packets. It misses out on higher level stuff and other protocols completely.

The paper is getting old now (Aug 2005), but:

It touches on other protocols that can be used for passive fingerprinting. Easy stuff like web agent fingerprinting, smb packets, mdns, sap/ipx, etc.

Or a full paper just on DHCP fingerprinting:

Again, all passive stuff.

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

A man can be destroyed but not defeated. (Ernest Hemingway)

UNIX does not allow path names to be prefixed by a drive name or number; that would be precisely the kind of device dependence that operating systems ought to eliminate. (Andrew S. Tanenbaum)

This post tagged: