Overview
This article guides you on how GFI LanGuard determines the operating system running on a device.
Information
GFI LanGuard sends out three main types of packets/queries to help determine the operating system running on a device:
-
SMB Packets
- Windows and some versions of Unix respond to these packets.
- Windows boxes that have File and Print sharing installed provides more information than other machines, so it is normally possible to get a better idea of what operating system is running on the device.
-
SNMP
- In most cases, on devices where SNMP is running, this method is quite a reliable source of what the device is running.
- There are a few exceptions where the vendor does not have individual IDs for each of its devices and in these cases, the OID of the device gives you the vendor information. However, in most cases, SNMP can be used to find the type of hardware/operating system that is running on the device.
-
ICMP
- This method has two main categories:
- How the device responds to TTL (Time to Live), Address Mask Request, and Time Stamp Reply. Based on TTL, you can break devices down; 128 is normally Windows, 255 usually Unix of some flavor. Codes in the reply also help in determining the operating system. However, operating system identification by these methods is not reliable because some of these replies can be changed within the operating system.
Example: Time to Live. -
Banner grabbing as the port is connected to. In some cases, this is very informative about what operating system is running. In other cases, no information at all is provided. The problem with this method is that the banner that the operating system sends, in most cases, can be changed so that it either does not give the information about the operating systems or gives out false information.
- How the device responds to TTL (Time to Live), Address Mask Request, and Time Stamp Reply. Based on TTL, you can break devices down; 128 is normally Windows, 255 usually Unix of some flavor. Codes in the reply also help in determining the operating system. However, operating system identification by these methods is not reliable because some of these replies can be changed within the operating system.
- This method has two main categories:
Unix Type Operating Systems
- GFI LanGuard can identify quite a few flavors of *nix, but the problem with almost all Unix type Operating Systems is that the IP stacks for most of them are the same: TTL, Address Mask Reply, Info Request Reply, Time Stamp Reply.
- There are some minor differences, but for the most part, that still only lets you break them down into groups. Even Macintosh falls into the same IP stack issues, so identification of these types of operating systems has to be done via SMB, SNMP, or banner grabbing, and depending on what ports are open and what has been put into the fingerprinting files, operating system identification may be possible or not.
NOTE: GFI LanGuard uses all of this information to determine what Operating System is running on a device. In most cases, the Operating System that GFI LanGuard determines is correct, but there is always a possibility of error.
GFI LanGuard Scope of Support
Supported: SNMPv1 and SNMPv2c
Not Supported: SNMPv3 and SNMP over TLS/DTLS
Priyanka Bhotika
Comments