Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
OS fingerprinting is the process of determining the operating system used by a host on a network.
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn't put any traffic on a network.
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techniques are based on analysing:
- IP TTL values;
- IP ID values;
- TCP Window size;
- TCP Options (generally, in TCP SYN and SYN+ACK packets);
- DHCP requests;
- ICMP requests;
- HTTP packets (generally, User-Agent field).
Other techniques are based on analysing:
- Running services;
- Open port patterns.
Many passive fingerprinters are getting confused when analysing packets from a NAT device.