使用 ping 命令来探测目标主机的操作系统类型

Question

从 http://subinsb.com/default-device-ttl-values/ 里学到的。

原来不同的操作系统默认的 TTL（Time To Live）值是不同的，因此通过 ping 命令返回的 ttl 值加上 traceroute 获得的跳转节点数就能算出目标节点设置的 TTL 数，从而推测出目标节点的操作系统类型。

比如，我们要探测 sachachua.com 的操作系统类型，可以这么做：

先用 traceroute 确定跳转数

traceroute sachachua.com

结果为:

traceroute to sachachua.com (104.28.7.65), 30 hops max, 60 byte packets
 1  _gateway (192.4.4.4)  1.493 ms  1.857 ms  1.785 ms
 2  * * *
 3  192.168.254.254 (192.168.254.254)  3.066 ms  3.508 ms  4.061 ms
 4  61.142.7.17 (61.142.7.17)  21.018 ms  21.446 ms  21.389 ms
 5  113.98.5.221 (113.98.5.221)  4.585 ms 113.98.5.217 (113.98.5.217)  6.898 ms 113.98.5.221 (113.98.5.221)  5.993 ms
 6  113.98.22.25 (113.98.22.25)  5.033 ms  3.565 ms 113.98.22.33 (113.98.22.33)  10.527 ms
 7  * * *
 8  113.98.37.37 (113.98.37.37)  27.135 ms 113.98.37.29 (113.98.37.29)  17.216 ms 113.98.37.33 (113.98.37.33)  10.132 ms
 9  202.97.66.166 (202.97.66.166)  9.187 ms *  9.839 ms
10  202.97.60.42 (202.97.60.42)  12.112 ms 202.97.91.145 (202.97.91.145)  9.883 ms  9.838 ms
11  202.97.22.122 (202.97.22.122)  159.378 ms 202.97.58.130 (202.97.58.130)  238.142 ms 202.97.27.238 (202.97.27.238)  159.718 ms
12  202.97.50.58 (202.97.50.58)  167.309 ms  177.650 ms  176.709 ms
13  218.30.53.214 (218.30.53.214)  241.310 ms  240.190 ms  239.304 ms
14  104.28.7.65 (104.28.7.65)  199.621 ms  176.317 ms  198.775 ms

从中可以看到，从本地到目标主机一共经过了 14-1=13 跳

ping 之

ping -c 4 sachachua.com

结果为：

PING sachachua.com (104.28.7.65) 56(84) bytes of data.
64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=1 ttl=51 time=159 ms
64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=2 ttl=51 time=159 ms
64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=3 ttl=51 time=177 ms
64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=4 ttl=51 time=159 ms

--- sachachua.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 159.164/163.926/177.276/7.720 ms

最终可以算出，目标主机设置的 TTL 为 51+13=64

查表

下面这张表是不同设备/操作系统默认 TTL 值的明细表：

Device / OS	Version	Protocol	TTL
AIX		TCP	60
AIX		UDP	30
AIX	3.2, 4.1	ICMP	255
BSDI	BSD/OS 3.1 and 4.0	ICMP	255
Compa	Tru64 v5.0	ICMP	64
Cisco		ICMP	254
DEC Pathworks	V5	TCP and UDP	30
Foundry		ICMP	64
FreeBSD	2.1R	TCP and UDP	64
FreeBSD	3.4, 4.0	ICMP	255
FreeBSD	5	ICMP	64
HP-UX	9.0x	TCP and UDP	30
HP-UX	10.01	TCP and UDP	64
HP-UX	10.2	ICMP	255
HP-UX	11	ICMP	255
HP-UX	11	TCP	64
Irix	5.3	TCP and UDP	60
Irix	6.x	TCP and UDP	60
Irix	6.5.3, 6.5.8	ICMP	255
juniper		ICMP	64
MPE/IX (HP)		ICMP	200
Linux	2.0.x kernel	ICMP	64
Linux	2.2.14 kernel	ICMP	255
Linux	2.4 kernel	ICMP	255
Linux	Red Hat 9	ICMP and TCP	64
MacOS/MacTCP	2.0.x	TCP and UDP	60
MacOS/MacTCP	X (10.5.6)	ICMP/TCP/UDP	64
NetBSD		ICMP	255
Netgear FVG318		ICMP and UDP	64
OpenBSD	2.6 & 2.7	ICMP	255
OpenVMS	07.01.2002	ICMP	255
OS/2	TCP/IP 3.0		64
OSF/1	V3.2A	TCP	60
OSF/1	V3.2A	UDP	30
Solaris	2.5.1, 2.6, 2.7, 2.8	ICMP	255
Solaris	2.8	TCP	64
Stratus	TCP_OS	ICMP	255
Stratus	TCP_OS (14.2-)	TCP and UDP	30
Stratus	TCP_OS (14.3+)	TCP and UDP	64
Stratus	STCP	ICMP/TCP/UDP	60
SunOS	4.1.3/4.1.4	TCP and UDP	60
SunOS	5.7	ICMP and TCP	255
Ultrix	V4.1/V4.2A	TCP	60
Ultrix	V4.1/V4.2A	UDP	30
Ultrix	V4.2 – 4.5	ICMP	255
VMS/Multinet		TCP and UDP	64
VMS/TCPware		TCP	60
VMS/TCPware		UDP	64
VMS/Wollongong	1.1.1.1	TCP	128
VMS/Wollongong	1.1.1.1	UDP	30
VMS/UCX		TCP and UDP	128
Windows	for Workgroups	TCP and UDP	32
Windows	95	TCP and UDP	32
Windows	98	ICMP	32
Windows	98, 98 SE	ICMP	128
Windows	98	TCP	128
Windows	NT 3.51	TCP and UDP	32
Windows	NT 4.0	TCP and UDP	128
Windows	NT 4.0 SP5-		32
Windows	NT 4.0 SP6+		128
Windows	NT 4 WRKS SP 3, SP 6a	ICMP	128
Windows	NT 4 Server SP4	ICMP	128
Windows	ME	ICMP	128
Windows	2000 pro	ICMP/TCP/UDP	128
Windows	2000 family	ICMP	128
Windows	Server 2003		128
Windows	XP	ICMP/TCP/UDP	128
Windows	Vista	ICMP/TCP/UDP	128
Windows	7	ICMP/TCP/UDP	128
Windows	Server 2008	ICMP/TCP/UDP	128
Windows	10	ICMP/TCP/UDP	128

但其实这张表可以缩减为：

Device / OS	TTL
*nix (Linux/Unix)	64
Windows	128
Solaris/AIX	254

因此，大概可以推测出 sachachua.com 使用的是 *nix 类操作系统,当然很大可能就是 Linux 操作系统。