A Python tool for remote operating system fingerprinting using TCP/IP header analysis.
It identifies the likely OS of a target by examining subtle differences in TCP/IP stack behavior.
This script performs remote operating system fingerprinting by analyzing characteristics of TCP/IP response headers.
It uses subtle differences in how various operating systems implement TCP/IP stacks to infer the likely OS of a target.
Operating systems have distinct default values for several fields in their TCP/IP packets.
By sending a TCP SYN packet and examining the response (typically a SYN-ACK), we can extract:
- Default initial TTL varies by OS:
64→ Linux / FreeBSD128→ Windows255→ Cisco / network devices
- The size of the receive buffer advertised by the host.
- Common defaults:
32120,5840→ Linux/FreeBSD64240,65535→ Windows
- Indicates whether the packet can be fragmented.
- Most modern OSes set it; older ones (e.g., SCO Unix, OpenBSD) may not.
- Indicates packet priority. Some OSes or network appliances use characteristic values.
The script:
- Takes an IP, domain, or URL as input.
- Resolves it to an IP address if necessary.
- Sends a crafted TCP SYN packet (using Scapy) to port
80. - Analyzes the TTL, TCP Window Size, DF flag, and ToS from the response.
- Matches these against a small signature database to infer the OS.
+-------------------------+
| User Input (IP/URL) |
+-----------+-------------+
|
v
+-----------+-------------+
| Resolve to IP address |
+-----------+-------------+
|
v
+-----------+-------------+
| Send TCP SYN packet (80)|
+-----------+-------------+
|
v
+-----------+-------------+
| Capture SYN-ACK response|
+-----------+-------------+
|
v
+------------------------------+
| Extract header fields: |
| - TTL |
| - TCP Window Size |
| - DF (Don't Fragment) flag |
| - ToS (Type of Service) |
+------------------------------+
|
v
+-----------+-------------+
| Match against signature |
| database |
+-----------+-------------+
|
v
+-------------------------+
| Output Likely OS & Info |
+-------------------------+
- Quick OS fingerprinting for network reconnaissance.
- Educational purposes to demonstrate TCP/IP stack fingerprinting.
- Security testing in authorized environments only.
Requires Python 3 and the following libraries:
pip install scapy termcolorRun the script with root privileges (required for raw packet sending):
sudo python detect_os.py <IP/Domain/URL>Example:
sudo python detect_os.py https://example.comOutput:
[+] example.com resolved to 93.184.216.34
[+] Probing 93.184.216.34...
[DEBUG] TTL: 64, Window Size: 32120, DF: True, ToS: 0
Likely OS: Linux/FreeBSD
-
Accuracy depends on:
- Network path (TTL can be decremented by intermediate hops).
- Targets behind firewalls or CDNs may reveal the OS of the edge server.
- Some OSes use dynamic TCP window scaling, making detection harder.
-
For advanced fingerprinting, use tools like Nmap which perform multi-probe analysis.
This tool is for educational and authorized security testing purposes only. Do not use it on systems you do not own or have explicit permission to scan.