Discovering the Operating System Using ICMP

December 22, 2016 | Views: 10513

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Ping and Traceroute form a simple pair of tools for operating system recognition. The technique consists of the sum of the jumps and TTL.

 

Firstly, we must be aware of the TTL return value of the various Operating Systems.

– Cyclades = Usually 30

– Linux = Usually 64

– Windows = Usually 128

– Cisco = Usually 255

– Linux + iptables = Usually 255

 

The first command to execute is Traceroute.

shady@arch:~|⇒  traceroute www.cybrary.it

traceroute to www.cybrary.it (104.20.37.13), 30 hops max, 60 byte packets

1  192.168.11.1 (192.168.11.1)  1.244 ms  1.558 ms  1.702 ms

2  jump1.com (123.123.123.123)  5.820 ms  5.812 ms  6.414 ms

3  jump2.com (124.124.124.124)  6.370 ms  6.500 ms  6.942 ms

4  jump3.com (125.125.125.125)  7.154 ms  7.068 ms  6.932 ms

5  jump4.com (126.126.126.126)  48.257 ms  48.242 ms  48.679 ms

6  jump5.com (127.127.127.127)  47.500 ms  44.990 ms  44.519 ms

7  104.20.37.13 (104.20.37.13)  47.661 ms  45.894 ms  47.833 ms

 

Remember the total jumps that are equal to 7.

 

Now we will find the TTL return with the Ping command.

shady@arch:~|⇒  ping www.cybrary.it -c 1 

PING www.cybrary.it (104.20.36.13) 56(84) bytes of data.

64 bytes from 104.20.36.13 (104.20.36.13): icmp_seq=1 ttl=58 time=45.1 ms

— www.cybrary.it ping statistics —

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 45.192/45.192/45.192/0.000 ms

 

The return of the TTL is equal to 58. Making the sum between 58 + 7 = 65. The result is very close to 64, you can deduce that there is Linux running.

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
21 Comments
  1. this is not correct. You need to read more on how traceroute works. Read the man page. there is no way to deduce what the OS is from just traceroute. Those IP addresses that you have listed as jumps, are actually the routers that your packet is hitting to get to its intended destination, so traceroute is just showing you the path of the packets, in this case the path is from router jump1 to router jump2 and so on. I guess Cybrary doesn’t verify these posts.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 294 / December 14, 2019
How do I Get MTA Certified?
Views: 892 / December 12, 2019
How much does your PAM software really cost?
Views: 1343 / December 10, 2019
How Do I Get into Android Development?
Views: 1722 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel