Open in app

Sign in

Write

Sign in

How To Perform OS Fingerprinting with Ping ?

0liverFlow
7 min readDec 28, 2024

--

Ping is a command that is generally used to troubleshoot reachability, and name resolution. Nevertheless, as we are gonna see, ping can also be useful when it comes to enumeration. Furthermore, you will find a bonus part at the end of the blog post.

How Ping Works ?

In this section, we will take a glance at how ping works by trying to ping scanme.org. For that, we will go through the following steps :

1/ First of all, let’s launch tshark to capture the packets sent by ping :

Tshark packets capture

Here is a quick breakdown of the options used above :

--color : Colorizes the output.

-i : Specifies the network interface. Use tshark -D to display all available network interfaces.

-f : Applies a capture filter (in this case, the ICMP protocol). ICMP (Internet Control Message Protocol) is a protocol used by network devices to diagnose network communication issues. For instance, ping uses ICMP to indicate if a host or router is unreachable.

Note : If you do not have tshark installed on your kali distro, you can install using sudo apt install -y tshark

2/ Check if scanme.org is reachable using ping:

Ping scanme.org

Once the ping scan is complete, you’ll see details such as :

  • The number of packets transmitted and received
  • The round-trip time (rtt) indicates the amount of time it takes for packets to get to the target host and back to your computer.
  • The mean deviation (mdev) which indicates how stable or variable the network latency is. A low mdev value suggests consistent latency, which is good for real-time applications like VoIP or gaming. However, a high mdev value suggests that the network might be experiencing jitter, which can lead to degraded performance for sensitive applications.

Now, let’s take a look at the packets captured by tshark :

ICMP packets capture

As you can see, tshark capture 10 ICMP packets. Let’s explore that. Shall we ?

For your information, my computer IP address is : 192.168.16.38 and the IP address of scanme.org is 45.33.32.156.

Here, we have two main type of ICMP packets :

  • ECHO REQUEST : This represents the ICMP packet sent from my computer to scanme.org. Put it simple, this is an ICMP request.
  • ECHO REPLY : This represents the ICMP packet sent from scanme.org to my computer. Therefore, it is the response to my previous ICMP request.

Well, another interesting piece of information in the capture is the TTL which stands for Time To Live. This is a field in the ICMP header used to prevent a packet from looping indefinitely through routers. Indeed each time that the packet passes through a router, the router decrements its TTL value by 1. Once the TTL reaches 0, the router discards the packet then send an error message Time Exceeded to the user.

Is there any default value for TTL ?

The RFC for TCP and IP do not require any default value for this field. Nevertheless, there is a recommendation in RFC 1700 saying:

The current recommended default time to live (TTL) for the Internet Protocol (IP) [45,105] is 64.

However, this was not followed in many IP implementations. And that’s where things become interesting.

OS Fingerprinting

Knowing that the device manufacturers did not follow the TTL default value recommendation specified in RFC 1700, we will be able to fingerprint the devices’ OS. This is possible because manufacturers set their own default TTL. For instance :

  • Windows (2000/XP/2003/Vista/10/11) have a default TTL value of 128
  • MacOS and Linux systems have a default TTL value of 64.
  • Routers have generally a default TTL value of 255 (e.g: Cisco routers).

That being said, let’s see some practical scenarios.

Ping scan

Based on the TTL above, we can guess that the target is probably running Windows. Let’s perform an Nmap OS scan to confirm that :

Nmap OS scan

-Pn : Skips the host discovery phase. This consider that the host is up by default.

-T4 : Aggressive mode used to speed up nmap scans. This should be used cautiously

-O : Enables OS detection

--reason : Displays the reason a port is in a particular state. As you can see, this also shows the TTL value.

--open : Only shows open ports

Well, based on the above Nmap scan, we can say that the target is running Windows.

Note : If there were a router between my computer and the target 192.168.48.1, the default TTL value which is 128 would be decremented by 1. Therefore, I would have seen 127 instead of 128.

Let’s now ping a Linux machine located on a different network :

Ping scan
Nmap scan

--traceroute : gathers information on the intermediate routers through which the traffic pass from a point to another.

Why do we have a TTL of 63 instead of 64 ?

Well, you should already know the response if you paid attention to what I said above. Indeed, the “ECHO RESPONSE” sent by the target 10.10.11.11 went first through the router10.10.14.1 which decremented the default TTL value (64) by 1. This is the reason why the TTL was 63 when we received it. You can check it out using the traceroute command :

Traceroute

Great ! Now you know how to quickly identify an OS using ping.

However, it’s important to note that certain advanced network devices or operating systems may enable administrators to configure TTL values, adding another layer of complexity to the interpretation of TTL values for OS fingerprinting. Therefore, while TTL values offer valuable hints about the type of OS in use, they should be supplemented with other factors for precise OS identification. For instance, if the target is on the same network like us, we could lookup his mac address by using nmap-mac-prefixes file located at : /usr/share/nmap/nmap-mac-prefixes. Let’s say we found out that the target’s mac address was 00:50:56:ed:23:8d

We could look for the device manufacturer using the following trick :

Mac address lookup

Note : Sometimes, this will not work but it’s worth trying it.

What if the target is not on my local network ?

Well, if the target is outside your local network, you can still guess the OS by analyzing the open ports.

For instance, if you notice that ports 135,139,445 are open on the target system, you may consider that this is probably a Windows machine.

However, if you notice that ports 22,80,3306 are open, this would probably be a Linux machine with an Apache or Nginx web server as well as a MySQL or MariaDB database.

Bonus

1. Troubleshooting Name Resolution

In addition to fingerprint a target Operating System, we can also use the ping command to troubleshoot the name resolution :

Troubleshooting Name resolution with ping

As you can see the domain name was successfully resolved.

2. Ping Sweep

Here is a useful bash one liner to perform a ping sweep after you compromise a target system. This will allow you to determine the live hosts on the compromised target’s local network, then move laterally :

for i in {1..254}; do (ping -c1 -w1 x.x.x.${i} | grep "bytes from" &); done

3. Make Ping Usage Easier with an Alias

Last but not least, here’s an alias to simplify using ping. By default, ping runs indefinitely on Linux, but the -c flag allows you to specify a number of packets to send before it stops.

alias ping="ping -c 4"

This limits ping to 4 packets by default, avoiding indefinite execution.

4. TCP SYN Ping

If ICMP is blocked by the target system, you can perform a Nmap TCP SYN Ping scan using the -PS flag with the following ports : 53,80,443,445

nmap -PS 53,80,443,445 <TARGET>

Awesome ! Let’s now sum up ! Shall we ?

Wrap Up

In this article, we saw how to use the ping command for OS fingerprinting by analyzing TTL values. While this method isn’t foolproof (administrators can alter TTL settings), supplementing it with MAC address lookups and open port analysis can improve accuracy. Additionally, we highlighted some awesome features of ping, including ping sweep and name resolution troubleshooting.

Well, that’s all guys. I hope you enjoyed this article.

If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles !

Hack the planet 😎

Resources

https://man7.org/linux/man-pages/man8/ping.8.html
https://datatracker.ietf.org/doc/html/rfc1700
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
https://en.wikipedia.org/wiki/Time_to_live
https://superuser.com/questions/721761/doubt-in-default-time-to-live-ttl-255
https://www.imperva.com/learn/performance/time-to-live-ttl
https://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting
https://www.youtube.com/watch?v=75yKT3OuE44
https://linuxhint.com/traceroute_nmap/

Contact

GitHub : https://github.com/0liverFlow

Pentesting
Fingerprinting
Os
Ping
Tricks

--

--

0liverFlow
0liverFlow

Written by 0liverFlow

144 Followers
3 Following

Pentester | Enjoy breaking and building stuffs

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams