In the Scanning sub phase of the Reconnaissance phase blog, we covered that in this phase, we gather information about the target. In the scanning process, we identify the active IP addresses on the network and active ports/services on each system.
The next step is to identify the OS running the system. This process is known as OS Discovery also known as OS Fingerprinting. There are two types of OS Discover methods as following:
Active OS Discovery is where we send specific crafted packets to the target and assess the response. The TTL and Window Size in the response IP header will determine the OS.
| Operating System | TTL | Window Size |
| Linux | 64 | 5840 |
| Windows | 128 | 65535 |
| Cisco Router | 255 | 4128 |
Passive OS Discovery is where we passively monitor the packets through sniffing, packet captures and determine the target’s OS.