Discovering Operating System using ICMP - Cybrary post

TheFORCE

So someone at Cybrary posted an "article" or post or whatever they call it there with the above title.
Below is what they posted.

Ping and Traceroute form a simple pair of tools for operating system recognition. The technique consists of the sum of the jumps and TTL.



Firstly, we must be aware of the TTL return value of the various Operating Systems.

– Cyclades = Usually 30

– Linux = Usually 64

– Windows = Usually 128

– Cisco = Usually 255

– Linux + iptables = Usually 255



The first command to execute is Traceroute.

shady@arch:~|⇒ traceroute www.cybrary.it

traceroute to www.cybrary.it (104.20.37.13), 30 hops max, 60 byte packets

1 192.168.11.1 (192.168.11.1) 1.244 ms 1.558 ms 1.702 ms

2 jump1.com (123.123.123.123) 5.820 ms 5.812 ms 6.414 ms

3 jump2.com (124.124.124.124) 6.370 ms 6.500 ms 6.942 ms

4 jump3.com (125.125.125.125) 7.154 ms 7.068 ms 6.932 ms

5 jump4.com (126.126.126.126) 48.257 ms 48.242 ms 48.679 ms

6 jump5.com (127.127.127.127) 47.500 ms 44.990 ms 44.519 ms

7 104.20.37.13 (104.20.37.13) 47.661 ms 45.894 ms 47.833 ms



Remember the total jumps that are equal to 7.



Now we will find the TTL return with the Ping command.

shady@arch:~|⇒ ping www.cybrary.it -c 1

PING www.cybrary.it (104.20.36.13) 56(84) bytes of data.

64 bytes from 104.20.36.13 (104.20.36.13): icmp_seq=1 ttl=58 time=45.1 ms

— www.cybrary.it ping statistics —

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 45.192/45.192/45.192/0.000 ms



The return of the TTL is equal to 58. Making the sum between 58 + 7 = 65. The result is very close to 64, you can deduce that there is Linux running.

I replied to that thread and said that it is wrong and you can't simply deduce the OS by that information. My understanding is that that's not how traceroute works. Can someone more advanced in networking confirm that I'm right or if what they posted is right? If he os wrong, then I'm surprised that in 5k views that it got, no one said it was wrong.

networker050184

It's not really traceroute that's telling you the operating system. It's the TTL in the ICMP reply. It is true that different operating systems have different default values. So one could certainly make some sort of educated guess with this information. Now could you say it's definitely Ubuntu or Red hat etc? No I don't think so.

JeanM

OP - The TTL can give it away, you can test it yourself easily. In my lab ping of the linux host returns TTL=64 and ping of a Win6 box returns ping with TTL=128. But I the traceroute is useless here, you can easily add another router/hop in the path and it won't change the TTL from the original host.

dontstop

Operating Systems do leak a lot of information. For instance Windows and Linux both insert random data in a ping request which can be used to identify the OS vendor just based on these differences.

BlackBeret

JeanM wrote: »

OP - The TTL can give it away, you can test it yourself easily. In my lab ping of the linux host returns TTL=64 and ping of a Win6 box returns ping with TTL=128. But I the traceroute is useless here, you can easily add another router/hop in the path and it won't change the TTL from the original host.

The point of the traceroute in this article is to determine how many hops you might be missing. The fact you labbed this to test is great, keep in mind though that TTL is reduced for each hop a packet takes. If you ping a box and it returns a remaining TTL of 40, it could be a Linux box that took 24 hops to reach the host, or a Windows box that took 88 hops to reach the host, or a Linux host with IPTables enabled that took 215 hops to reach the host. You use traceroute to turn this unknown in to a known.

To the OP, yes this is how it really works. Now this isn't an exact science obviously and there are huge differences between WindowsME and Windows 10, this isn't going to get you any closer, but it's a starting point. If you want to learn more just look up host identification on nmap.