Identifying the operating system is primarily used for operating system exploits. Whether it's Windows or Linux, some services are started by default after installation and some ports are turned on.
The simplest way to identify the target host's system is to send a ping packet, the default value for the Windows starting TTL is 128,linux and the UNIX system defaults to 64, and some special UNIX systems have a TTL value of 255. To ping two hosts in the LAN, one for Win XP ( 192.168.0.104), one for Metasploitable2 target drone (192.168.0.108):
As you can see, the TTL value sent by Windows for the pin-back packet is 128, and the TTL value sent by Linux is 64.
1 #!/usr/bin/python2 fromScapy.allImport*3 4 ifLen (SYS.ARGV)! = 2:5 Print "This script needs one arg!\nexample:./ttl_os.py 192.168.0.0 or./ttl_os.py baidu.com"6 sys.exit ()7 8IP = sys.argv[1]9r = SR1 (IP (DST = IP)/ICMP (), timeout = 1, verbose =0)Ten One ifr = =None: A Print "No response!" - elifR[ip].ttl <= 64: - Print "Linux or unix!" the elifR[ip].ttl > 64 andR[ip].ttl <= 128: - Print "windows!" - Else: - Print "unix!"
Python code implementation
The TTL value can be changed by software, so it is not always accurate to judge by the TTL value alone. And the powerful Nmap also provides a powerful parameter-O, can be based on a variety of characteristics of the system identification, implementation of NMAP 192.168.0.108-o command, to obtain the results:
Of course, even using nmap this powerful tool to get results may not be completely accurate, small series using Nmap scan win XP Home version results are win XP Professional Edition or Win2003.
Operating system identification-python, Nmap