Discovering the Operating System Using ICMP

Ping and Traceroute form a simple pair of tools for operating system recognition. The technique consists of the sum of the jumps and TTL.

Firstly, we must be aware of the TTL return value of the various Operating Systems.

– Cyclades = Usually 30

– Linux = Usually 64

– Windows = Usually 128

– Cisco = Usually 255

– Linux + iptables = Usually 255

The first command to execute is Traceroute.

shady@arch:~|⇒  traceroute www.cybrary.it

traceroute to www.cybrary.it (104.20.37.13), 30 hops max, 60 byte packets

1  192.168.11.1 (192.168.11.1)  1.244 ms  1.558 ms  1.702 ms

2  jump1.com (123.123.123.123)  5.820 ms  5.812 ms  6.414 ms

3  jump2.com (124.124.124.124)  6.370 ms  6.500 ms  6.942 ms

4  jump3.com (125.125.125.125)  7.154 ms  7.068 ms  6.932 ms

5  jump4.com (126.126.126.126)  48.257 ms  48.242 ms  48.679 ms

6  jump5.com (127.127.127.127)  47.500 ms  44.990 ms  44.519 ms

7  104.20.37.13 (104.20.37.13)  47.661 ms  45.894 ms  47.833 ms

Remember the total jumps that are equal to 7.

Now we will find the TTL return with the Ping command.

shady@arch:~|⇒  ping www.cybrary.it -c 1 

PING www.cybrary.it (104.20.36.13) 56(84) bytes of data.

64 bytes from 104.20.36.13 (104.20.36.13): icmp_seq=1 ttl=58 time=45.1 ms

— www.cybrary.it ping statistics —

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 45.192/45.192/45.192/0.000 ms

The return of the TTL is equal to 58. Making the sum between 58 + 7 = 65. The result is very close to 64, you can deduce that there is Linux running.