Saturday, 10 November 2007

Guessing an Operating System using the TTL

Different operating systems use different TTL's (Time to Live fields). It is possible to change these defaults, but this is rarely the case on a production system.

32 bit Default TTL

Expected TTL range for the OS of 16-31

  • Microsoft Windows 95
  • Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4
  • Older Mac computers

64 bit Default TTL

Expected TTL range for the OS of 48-63

  • Compaq Tru64 5.0 is the exception to the Unix and Unix like systems
  • LINUX Kernel 2.2.x & 2.4.x
  • Mac OS X

128 bit Default TTL

Expected TTL range for the OS of 112-127

  • Newer Microsoft Windows operating system machines
  • Microsoft windows 2000, XP, Vista and 2003

255 bit Default TTL

Expected TTL range for the OS of 239-255

  • Cisco routers and switches
  • UNIX and UNIX-like operating systems
  • This includes FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; OpenBSD 2.6, 2.7, NetBSD and HP UX 10.20, AIX

The average number of hops on the Internet is between 12 and 16. This value is far less than 32 the minimum difference between the TTL type blocks. The consequence is that it is possible to make a very good guess of the operating system from the TTL in a packet. All IP packets have TTL’s including of course ICMP, TCP and UDP.

So if we have a packet with a TTL of 118 for instance, we can make a good guess that it has come from a newer Windows system (eg. XP or 2003).

If we find a packet with a TTL in the range listed above, we can make a good guess that we have found the operating system type. More work is needed and it is always advisable to verify your findings, but it is a great start for a simple test.

If you are interested in learnign more, I am teaching a SANS STAY SHARP class in Sydney next week. The class is Stay Sharp: IP Packet Analysis and it is a must for anyone who has to work with packets (firewall and IDS admins, network administrators etc). I look forward to seeing you there.

No comments: