Mermaid Image

OS Detection


OS detection has had a pretty sad history. It used to be that you could just telnet targethost and read the login banner. As network administrators have wisened, however, stealth methods have evolved to match. Queso, and later nmap pioneered TCP header-flag based OS detection, but now there are some viable alternatives with (at least for the time being) superior stealth...

Note: Not all of these methods have been tested, some are no more than theoretical. They'll all be tested soon enough. Although I have developed these techniques independantly of others, it is quite likely that others discovered them first. No public release of papers or tools on these techniques has been made ,at least that I am aware of.

I want to create a program to automate the use of these techniques, however I lack the time at present. If you would like to program something, go right ahead -- I'll post the source here with credit. Otherwise, we're talking middle to late 2000 for something usable to appear.

Other 'Common' Methods of OS Detection

  • FTP SYST command
  • - "SYST" will return information about the server.
  • HTTP HEAD command
  • - The "HEAD" command will return HTTP headers only, which sometimes contain the server architecture/os as well as the http daemon version. The more regular "GET" command returns the page requested, also.


[ back home ] [ email ]