Discovering the Operating System Using ICMP

Ping and Traceroute form a simple pair of tools for operating system recognition. The technique consists of the sum of the jumps and TTL. Firstly, we must be aware of the TTL return value of the various Operating Systems.- Cyclades = Usually 30- Linux = Usually 64- Windows = Usually 128- Cisco = Usually 255- Linux + iptables = Usually 255 The first command to execute is Traceroute.shady@arch:~|⇒  traceroute www.cybrary.ittraceroute to www.cybrary.it (104.20.37.13), 30 hops max, 60 byte packets1  192.168.11.1 (192.168.11.1)  1.244 ms  1.558 ms  1.702 ms2  jump1.com (123.123.123.123)  5.820 ms  5.812 ms  6.414 ms3  jump2.com (124.124.124.124)  6.370 ms  6.500 ms  6.942 ms4  jump3.com (125.125.125.125)  7.154 ms  7.068 ms  6.932 ms5  jump4.com (126.126.126.126)  48.257 ms  48.242 ms  48.679 ms6  jump5.com (127.127.127.127)  47.500 ms  44.990 ms  44.519 ms7  104.20.37.13 (104.20.37.13)  47.661 ms  45.894 ms  47.833 ms Remember the total jumps that are equal to 7. Now we will find the TTL return with the Ping command.shady@arch:~|⇒  ping www.cybrary.it -c 1 PING www.cybrary.it (104.20.36.13) 56(84) bytes of data.64 bytes from 104.20.36.13 (104.20.36.13): icmp_seq=1 ttl=58 time=45.1 ms--- www.cybrary.it ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 45.192/45.192/45.192/0.000 ms The return of the TTL is equal to 58. Making the sum between 58 + 7 = 65. The result is very close to 64, you can deduce that there is Linux running.