This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Finding an intruder’s Operating system

0

Hello all, I am very new to Wireshark, and I have been told that its possible to find an intruder's operating system in my packet capture. I have the capture, but I'm not exactly sure what to look for, regarding the operating systems. Can anyone offer some advice?

asked 07 Oct '13, 06:36

Ruinzifra's gravatar image

Ruinzifra
11226
accept rate: 0%

edited 07 Oct '13, 06:42

2 Answers:

2

There are some signs to find the OS, but none of them are 100% reliable.

  • Look for typical values for MSS and Windows size in TCP connections
  • Look for typical RTT values

http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting

  • Look for typical protocls of a certain OS (netbios, etc.)
  • Look for sign of certain client software (Browser: User-Agent, Banner, etc.)
  • Look for the TCP source ports used. There are difference of those ranges between different OSes
  • Look for the IP ID and how it changes. There are difference of ID between different OSes

Furthermore read about: passive OS detection

Regards
Kurt

answered 07 Oct '13, 07:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Oct '13, 04:42

Thank you so much Kurt! That is along the lines of what I was thinking, but I needed to double check. Excellent info and answer.

(07 Oct '13, 08:04) Ruinzifra

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(07 Oct '13, 08:13) Kurt Knochner ♦

0

I've been working on the Nitroba University Harassment Scenario, which requires identification of individual hosts (not just operating systems) behind a NAT gateway using passive fingerprinting techniques. I found that the IPid, TTL, and TCP source port were rewritten by the gateway (as expected). The IPid was fully randomised, and the TTL was set to a fixed value (64) by the gateway. Also, HTTP user agents can be changed easily in software (I use the Firefox User Agent Switcher plugin for this).

The attributes I've settled on that should work to identify operating systems in this scenario are:

  • TCP window size: it never seems to go above 65535 for MSIE browsers on Windows, but can be up to 524280 for Mac OS X browsers. (These numbers might have changed since 2008, when the capture was created.)
  • Presence/absence & order of headers in HTTP requests, which cannot be changed easily in client software (although they could be spoofed with netcat or similar)
  • the HTTP Accept header, which can indicate the presence of certain plugins (e.g. if it includes application/x-shockwave-flash)

Databases of these criteria don't seem to be publicly available, based on my searches. (Corrections gratefully accepted.)

To identify individual hosts, the following seem necessary:

  • TCP timestamps to determine the boot time of the host and rule out certain
  • individual HTTP cookies
  • data sent in Google Analytics queries, including character set, screen resolution & color depth, Flash version, and Java plugin status

answered 16 May '14, 17:39

paulgear's gravatar image

paulgear
112
accept rate: 0%

edited 16 May '14, 17:55