Fingerprinting the operating system

Determining the operating system of a remote system is conducted using two types of scans:

• Active fingerprinting: The attacker sends normal and malformed packets to the target and records its response pattern, referred to as the fingerprint. By comparing the fingerprint to a local database, the operating system can be determined.
• Passive fingerprinting: The attacker sniffs, or records and analyzes, the packet stream to determine the characteristics of the packets.

Active fingerprinting is faster and more accurate than passive fingerprinting. In Kali, the two primary active tools are nmap and xprobe2.

The nmap tool injects packets into the target network and analyzes the response that it receives. In the following screenshot, the -O flag commands nmap to determine the operating system:

nmap -sS -O target.com

A related program, xprobe2, uses different TCP, UDP, and ICMP packets to bypass firewalls and avoid detection by IDS/IPS systems. Xprobe2 also uses fuzzy pattern matching – the operating system is not identified as definitely being one type; instead, it is assigned the probability of being one of several possible variants:

root@kali:~# xprobe2www.target.com  

Note that it is simple for the target system to hide the true operating system. Since fingerprinting software relies on packet setting, such as time-to-live or the initial windows size, changes to these values or other user-configurable settings can change the tool results. Some organizations actively change these values to make the final stages of reconnaissance more difficult.