how do u find remote machine operating system and version?

how do u find remote machine operating system and version?..

Answer / ravi

REMOTE OS DETECTION USING PING METHOD

What is PING and what is its utility ?

Ping is an MSDOS utility provided for windows version of DOS
and for Unix and operating systems having UNIX as the core
kernel. It runs in dos box in windows and directly in UNIX
platform. In this manual I will give more stress on the
MSDOS version of ping.

Ping is an utility used for sending and receiving packets of
data to a target system using its IP and thus from the
outputs you can figure out many information about the target
system.
In remote os detection we are mainly concerned with the TTL
values of the received data packets.

Note: When you send or receive a file over the internet it
is not send at once. Instead it is broken down at the source
system and these broken fragments of data know as data
packets are send through the internet and these data packets
are gathered together by the target system according to an
algorithm constructed by the source system.
For example if I send a picture of size 400 KB to my girl
friend (hey girls out there remember I don’t yet have a gf
in reality) then what actually happens is that my system
breaks the data into data packets, say the file of 400 KB
has been broken down into 4 data packets each having a size
of 100 KB and having a name. These data packets are assigned
a code known as the TTL value of the data packets by my
operating system. Then these data packets are gathered and
the original file is formed from these data packets at the
target system.

Example:

C:\windows>ping/?

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v
TOS]

[-r count] [-s count] [[-j host-list] | [-k host-list]]

[-w timeout] target_name

Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.

there are various switches available for ping. Above I have
given a list of all the switches available in the DOS
version of ping. Using the –t switch you can continuously
ping a target until it is crashed down. I am sure you are
probably wondering how will it crash down the remote system.
The answer is quite simple. If you ping the remote system
continuously then what happens is that slowly the RAM of the
target system is overloaded with these stack data and
compels the system to restart or crashes it. You can also
use the –l switch to specify the amount of data packet to be
send at a time.

But in this article I am not concerned with crashing down a
remote system cause its not that easy as it seems to be,
there are many other tricks for it and its not possible to
crash down a system of present technology just by simple
ping. I am concerned with the TTL values of the output that
you will get after pinging a system. You can use –n switch
with ping to specify the number of echo (ie data packets) to
be send to the target system. The default number is 4.

Example:

C:\windows> ping –n 10 127.0.0.1

This command will ping 127.0.0.1 with 10 packets of data and
after that will give you an output.

Now I think its time for a real example which I have
executed on my system.

C:\windows>ping 127.0.0.1

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
(or check
http://members.cox.net/~ndav1/self_published/TTL_values.html)

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Here I have pinged the IP 127.0.0.1 (offline ip of any
system) with default ping. Here I am getting TTL value as
128. This is the thing what we need for remote os detection.

What is TTL value ?

TTL value is nothing but a simple code assigned to the out
going data packets by the operating system of a computer.
The TTL value assigned to the out going data packets depends
on the operating system and it is the same for a particular
operating system. As for example if you ping a system
running windows 98 or earlier versions of windows NT with
service packs (I don’t know exactly about the TTL values of
recent versions of Windows NT but from my research I think
it’s the same as previous versions cause the TTL value even
in Windows XP is 128) you will get the TTL value as 128,
thus from this TTL value you can easily say that the target
system is running Microsoft Windows.

TTL values of commonly used Operating Systems

OS VERSION PLATFORM TTL

Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Sparc 64
Solaris 2.x Intel/Sparc 255

Well these are not all. There are many more TTL values of
many other operating systems. But generally most systems
lies within this list.

Now lets try this manual practically and find out the
operating system running by the IP 202.178.64.19.

C:\windows>ping 202.178.64.19

Pinging 202.178.64.19 with 32 bytes of data:

Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128

Ping statistics for 202.178.64.19:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Well from the output you can figure out many informations.
First 4 packets of data each of 32 bytes has been send to
202.178.64.19. In response the target system has responded
with data packets of TTL value as 128.
Now we can easily say that the system 202.178.64.19 is
running windows.

ERROR CORRECTION IN SOME CASES

There is a possibility of error in TTL values that you
receive. Even though the source system send a TTL value of
128 you may receive the TTL value as 120. Well nothing to
worry cause its due to the fact that routers reduce the TTL
value by 1.
Don’t worry I’ll explain and made things much clearer for you.

It’s a fact that some times routers may reduce the TTL value
assigned to the data packets by the source OS by 1.
In that case you have to find out how many routers are there
in between your system and the target system and then simply
add the number of routers to the received TTL values and you
will get the original TTL value.

To find out how many routers there are in between your
system and the target system just perform a normal and
simple tracert to that IP.
For more information about tracing an IP read my article
‘TRACING IP” in
After tracing the IP using tracert tool of dos suppose you
find that there are 10 routers between you and the target
system then just simply add 10 to the TTL value that you
have received and you will get the original TTL value.

And once you get the original TTL value then its as simple
as changing girl friend to find out the operating system
running by the remote computer. Just match the TTL value
with the above chart and you will find out the operating
system info.

Is This Answer Correct ?

6 Yes

2 No