Suggested Reading Resources(Free of Cost!)

There are various switches available for ping. Above I have given a list of all the switches available in the DOS version of ping. Using the –t switch you can continuously ping a target until it is crashed down. I am sure you are probably wondering how will it crash down the remote system. The answer is quite simple. If you ping the remote system continuously then what happens is that slowly the RAM of the target system is overloaded with these stack data and compels the system to restart or crashes it. You can also use the –l switch to specify the amount of data packet to be send at a time.

But in this article I am not concerned with crashing down a remote system cause its not that easy as it seems to be, there are many other tricks for it and its not possible to crash down a system of present technology just by simple ping. I am concerned with the TTL values of the output that you will get after pinging a system. You can use –n switch with ping to specify the number of echo (ie data packets) to be send to the target system. The default number is 4.

Example:

C:\windows> ping –n 10 127.0.0.1

This command will ping 127.0.0.1 with 10 packets of data and after that will give you an output.

Now I think its time for a real example which I have executed on my system.

C:\windows>ping 127.0.0.1

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
(or check http://members.cox.net/~ndav1/self_published/TTL_values.html)

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Here I have pinged the IP 127.0.0.1 (offline ip of any system) with default ping. Here I am getting TTL value as 128. This is the thing what we need for remote os detection.

What is TTL value ?

TTL value is nothing but a simple code assigned to the out going data packets by the operating system of a computer. The TTL value assigned to the out going data packets depends on the operating system and it is the same for a particular operating system. As for example if you ping a system running windows 98 or earlier versions of windows NT with service packs (I don’t know exactly about the TTL values of recent versions of Windows NT but from my research I think it’s the same as previous versions cause the TTL value even in Windows XP is 128) you will get the TTL value as 128, thus from this TTL value you can easily say that the target system is running Microsoft Windows.

TTL values of commonly used Operating Systems

OS VERSION PLATFORM TTL

Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Sparc 64
Solaris 2.x Intel/Sparc 255

Well these are not all. There are many more TTL values of many other operating systems. But generally most systems lies within this list.

Now lets try this manual practically and find out the operating system running by the IP 202.178.64.19.

C:\windows>ping 202.178.64.19

Pinging 202.178.64.19 with 32 bytes of data:

Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128

Ping statistics for 202.178.64.19:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Well from the output you can figure out many informations. First 4 packets of data each of 32 bytes has been send to 202.178.64.19. In response the target system has responded with data packets of TTL value as 128.
Now we can easily say that the system 202.178.64.19 is running windows.

ERROR CORRECTION IN SOME CASES

There is a possibility of error in TTL values that you receive. Even though the source system send a TTL value of 128 you may receive the TTL value as 120. Well nothing to worry cause its due to the fact that routers reduce the TTL value by 1.
Don’t worry I’ll explain and made things much clearer for you.

It’s a fact that some times routers may reduce the TTL value assigned to the data packets by the source OS by 1.
In that case you have to find out how many routers are there in between your system and the target system and then simply add the number of routers to the received TTL values and you will get the original TTL value.

To find out how many routers there are in between your system and the target system just perform a normal and simple tracert to that IP.
For more information about tracing an IP read my article ‘TRACING IP” in
After tracing the IP using tracert tool of dos suppose you find that there are 10 routers between you and the target system then just simply add 10 to the TTL value that you have received and you will get the original TTL value.

And once you get the original TTL value then its as simple as changing girl friend to find out the operating system running by the remote computer. Just match the TTL value with the above chart and you will find out the operating system info.

Popularity: 4% [?]

Related posts:

1. NetBIOS Attack
2. A simple TCP spoofing attack
3. How to Make your own Virus
4. Best 5 Port Scanners
5. Top 20 Hacking Tools

Pages: 1 2