Saturday, July 16, 2016

Ping as an OS Fingerprinting Tool


What does PING utility do?
It sends an ICMP 'echo message' (type 8) and if firewalls don't block it, the sender gets ICMP 'echo reply' (type 0) back. If it works we can get an estimate round-trip time of a target host and we will know it's alive!

But there is more to it than that ;-)

Using ping utility venture a guess of what operating system it runs (Windows, Linux, or IOS).

Let's look at this ping results:


pi@tron:~ $ ping -c3 -n www.cisco.com
PING e144.dscb.akamaiedge.net (23.200.96.126) 56(84) bytes of data.
64 bytes from 23.200.96.126: icmp_seq=1 ttl=58 time=5.64 ms
64 bytes from 23.200.96.126: icmp_seq=2 ttl=58 time=7.03 ms
64 bytes from 23.200.96.126: icmp_seq=3 ttl=58 time=5.50 ms

Based on this output we can venture a guess regarding OS of target and how many routers away it is! The 'tell' is the TTL value of the responder. 

We know that the default values of TTL are as follows:

  • MS Windows: TTL = 128.
  • Linux: TTL = 64.
  • Cisco IOS: TTL = 255.
Based on the above output I think www.cisco.com most likely runs on Linux system. It is also 6 hops (routers) away from my Raspberry PI computer. Systems on the Internet are rarely farther than 20 hops. So, if we assume that it is Linux, it uses the TTL value of 64, Response comes with ttl=58. That would be six hops away.

Let's verify that last fact using traceroute (if not installed use: apt-get install traceroute).


ppi@tron:~ $ traceroute -n www.cisco.com
traceroute to www.cisco.com (23.200.96.126), 30 hops max, 60 byte packets
 1  192.168.0.1  0.623 ms  0.726 ms  0.767 ms
 2  193.95.131.7  5.557 ms  5.915 ms  5.829 ms
 3  193.95.138.1  6.519 ms  6.548 ms  6.462 ms
 4  193.95.129.100  6.477 ms 193.95.129.104  6.577 ms 193.95.129.100  6.791 ms
 5  193.95.129.127  6.804 ms  6.975 ms  6.889 ms
 6  193.242.111.55  8.546 ms  8.142 ms  8.046 ms
 7  23.200.96.126  6.145 ms  5.620 ms  5.577 ms
pi@tron:~ $

Six routers and the seventh number is the target host.