OS Inference through Ping TTL

Terminologies


  • Ping: An command to discover the availability of a target machine. It sends an ICMP Echo Request, and waits for an Echo Reply
  • TTL: Time-To-Live, which tells the network routers how long the packet should live. For each router that passes the packet on, the TTL reduces by 1. Once TTL reaches 0, the packet is discarded, and an ICMP message is sent to the original sender to resend the packet.

Infering OSes From TTLs


Each OS has a different TTL for their Echo Reply packet, and based on that, we can infer what OS is sending us the reply.

Lets look at what happens when we ping google.com

The TTL that is show there is the Echo Reply that Google has sent us, and when it has reached our machine, it was “left” with 42 TTL. So how do we find out how long the Echo Reply travelled? tracert!

How tracert works is that it first sends out a packet with TTL 1 and incrementally bumps up that amount so that at each router, it collect the IP address information about it. When a packet reaches a router with TTL=0, it is sent back to the originating machine, along with it’s (the router) IP address.

Request time out happens when the network router has specifically blocked ICMP ping request, so when a packet reaches there with TTL=0, nothing is sent back.

We can see that for traffic that travel from google.com to our machine takes 23 hops, and when it reached out machine, it was left with 42 TTL. With that, we can conclude that when it was sent out, it had an initial TTL of 23+42=65.

We can look at the table below to find out that Linux servers using ICMP protocol has a TTL of 64, which has the closest value to ours.

Table of TTLs for each OS


Device / OSVersionProtocolTTL
AIXTCP60
AIXUDP30
AIX3.2, 4.1ICMP255
BSDIBSD/OS 3.1 and 4.0ICMP255
CompaTru64 v5.0ICMP64
CiscoICMP254
DEC PathworksV5TCP and UDP30
FoundryICMP64
FreeBSD2.1RTCP and UDP64
FreeBSD3.4, 4.0ICMP255
FreeBSD5ICMP64
HP-UX9.0xTCP and UDP30
HP-UX10.01TCP and UDP64
HP-UX10.2ICMP255
HP-UX11ICMP255
HP-UX11TCP64
Irix5.3TCP and UDP60
Irix6.xTCP and UDP60
Irix6.5.3, 6.5.8ICMP255
juniperICMP64
MPE/IX (HP)ICMP200
Linux2.0.x kernelICMP64
Linux2.2.14 kernelICMP255
Linux2.4 kernelICMP255
LinuxRed Hat 9ICMP and TCP64
MacOS/MacTCP2.0.xTCP and UDP60
MacOS/MacTCPX (10.5.6)ICMP/TCP/UDP64
NetBSDICMP255
Netgear FVG318ICMP and UDP64
OpenBSD2.6 & 2.7ICMP255
OpenVMS07.01.2002ICMP255
OS/2TCP/IP 3.064
OSF/1V3.2ATCP60
OSF/1V3.2AUDP30
Solaris2.5.1, 2.6, 2.7, 2.8ICMP255
Solaris2.8TCP64
StratusTCP_OSICMP255
StratusTCP_OS (14.2-)TCP and UDP30
StratusTCP_OS (14.3+)TCP and UDP64
StratusSTCPICMP/TCP/UDP60
SunOS4.1.3/4.1.4TCP and UDP60
SunOS5.7ICMP and TCP255
UltrixV4.1/V4.2ATCP60
UltrixV4.1/V4.2AUDP30
UltrixV4.2 – 4.5ICMP255
VMS/MultinetTCP and UDP64
VMS/TCPwareTCP60
VMS/TCPwareUDP64
VMS/Wollongong1.1.1.1TCP128
VMS/Wollongong1.1.1.1UDP30
VMS/UCXTCP and UDP128
Windowsfor WorkgroupsTCP and UDP32
Windows95TCP and UDP32
Windows98ICMP32
Windows98, 98 SEICMP128
Windows98TCP128
WindowsNT 3.51TCP and UDP32
WindowsNT 4.0TCP and UDP128
WindowsNT 4.0 SP5-32
WindowsNT 4.0 SP6+128
WindowsNT 4 WRKS SP 3, SP 6aICMP128
WindowsNT 4 Server SP4ICMP128
WindowsMEICMP128
Windows2000 proICMP/TCP/UDP128
Windows2000 familyICMP128
WindowsServer 2003128
WindowsXPICMP/TCP/UDP128
WindowsVistaICMP/TCP/UDP128
Windows7ICMP/TCP/UDP128
WindowsServer 2008ICMP/TCP/UDP128
Windows10ICMP/TCP/UDP128

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s