Pho's alternate remote OS detection techinques page has been updated. Includes information on ICMP techniques, ARP techniques, IP techniques, and UDP techniques.
8ad58add858120309dfa20fecd05c30e086888dd27674d03eb1a7771daeb0615
<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<TITLE>[pho] - OS Detection</TITLE>
</HEAD>
<BODY BGCOLOR="BLACK" VLINK="WHITE" TEXT="WHITE" LINK="WHITE" ALINK="WHITE">
<CENTER>
<!-- err, whole page table bit. afterthoughts are ugly. -->
<TABLE BORDER="0"><TR><TD>
<!-- /pagetable -->
<IMG SRC="http://pho.2600.org.au/mermaid.gif" ALT="Mermaid Image"><BR>
<!-- pagetable -->
</TD><TD>
<!-- /pagetable-->
<CENTER>
<H3>OS Detection</H3>
</CENTER>
<CENTER>
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD BGCOLOR="WHITE" COLSPAN="2"> </TD>
</TR>
</TABLE>
</CENTER>
<BR>
OS detection has had a pretty sad history. It used to be that you
could just <I>telnet targethost</I> and read the login banner. As network
administrators have wisened, however, stealth methods have evolved to match.
Queso, and later <A HREF="http://www.insecure.org/nmap/">nmap</A> pioneered
TCP header-flag based OS detection, but now there are some viable
alternatives with (at least for the time being) superior stealth...
<P>
<UL>
<LI><A HREF="http://pho.2600.org.au/icmp.html">ICMP techniques</A>
<LI><A HREF="http://pho.2600.org.au/arp.html">ARP techniques</A>
<LI><A HREF="http://pho.2600.org.au/ip.html">IP techniques</A>
<LI><A HREF="http://pho.2600.org.au/udp.html">UDP techniques</A>
</UL>
<BR>
<I>Note: Not all of these methods have been tested, some are no more
than theoretical. They'll all be tested soon enough. Although I have
developed these techniques independantly of others, it is quite likely
that others discovered them first. No public release of papers or
tools on these techniques has been made ,at least that I am aware of.</I>
<P>
I want to create a program to automate the use of these techniques, however
I lack the time at present. If you would like to program something, go
right ahead -- I'll post the source here with credit. Otherwise, we're
talking middle to late 2000 for something usable to appear.
<P><BR>
<B>Other 'Common' Methods of OS Detection</B><BR>
<UL>
<LI>FTP SYST command</LI> - "SYST" will return information about the server.
<LI>HTTP HEAD command</LI> - The "HEAD" command will return HTTP headers
only, which sometimes contain the server architecture/os as well as the http
daemon version. The more regular "GET" command returns the page requested,
also.
</UL>
<BR>
<CENTER>
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD BGCOLOR="WHITE" COLSPAN="2"> </TD>
</TR>
</TABLE>
<BR>
[ <A HREF="http://pho.2600.org.au/">back home</A> ] [ <A HREF="mailto:photon@2600.org.au">email</A> ]
</CENTER>
<!-- pagetable -->
</TD></TR>
</TABLE>
<!-- /pagetable -->
</CENTER>
</BODY>
</HTML>