One of the most important steps in attacking a target is finding out the OS that it is running. This can be done a few different ways, but in this post I am going to give a little bit of an overview of using the ICMP protocol in OS detection and point you to some resources if you wish to learn more.

You may not know this, but in some cases finding out wheter the machiine is *nix based or Windows is as simple as pinging the target and looking at the TTL value that was returned. Most *nix based systems will return 255 in the TTL value in an ICMP echo reply, Windows will return 128 (with the exception of Win 95 which returns 32), and last but not least Linux which returns a TTL value of 64 (thanks chsh). I know that these values may not be true in all cases, but hey, what can I say, this method is just used for a rough idea. Antother way that can be used is to send an ICMP echo request to the target with the code value set at anything other than 0. When the reply is recieved if the code value is != 0 then the machine is *nix based and if the value is 0 then the Machine is Windows based.

To delve a little bit deeper we begin by sending some ICMP packets from our favorite packet crafter to the target, and then compare the results to know OS behaviors.

An Example:

Say that you recieved a TTL value of 255 when you pinged the target. We know that this is a pretty good indicator that the target is *nix based. Now if we were to send a fragmented ICMP address mask request and the reply was to come back with 0.0.0.0 as the mask then we would know that the machine is running either Solaris or HP-UX. Interesting? Yes. Simple? Very.

Another Example:

This example will give you an idea of how to pick Windows 2000 and Ultrix. All you have to do is send an ICMP echo request with the precedence bits !=0. If you recieve a reply with the precedence bits equal to 0 then the machine is either running Windows 2000 or Ultrix. Now to distinguish between the two we ping the target and look at the TTL value. 255 = Ultrix and 128 = Win 2k.

To learn more on this read Ofir Arkin's paper here:
http://www.sys-security.com/archive/...nning_v3.0.pdf

ICMPerror messages are also able to be used in the foot printing of an OS. Actually, in some cases the lack of ICMP error messages will be an indicator of a certain group of operating systems (AIX, DG-UX, HP-UX).

To learn more about this read the paper by Fyodor here:
http://www.insecure.org/nmap/nmap-fi...g-article.html

If I am wrong please correct me, or if you have something to add please do. Cheers.