从 http://subinsb.com/default-device-ttl-values/ 里学到的
原来不同的操作系统默认的TTL(Time To Live)值是不同的,因此通过ping命令返回的ttl值加上traceroute获得的跳转节点数就能算出目标节点设置的TTL数,从而推测出目标节点的操作系统类型。
比如,我们要探测 sachachua.com 的操作系统类型,可以这么做:
- 先用
traceroute确定跳转数traceroute sachachua.com结果为:
traceroute to sachachua.com (104.28.7.65), 30 hops max, 60 byte packets 1 _gateway (192.4.4.4) 1.493 ms 1.857 ms 1.785 ms 2 * * * 3 192.168.254.254 (192.168.254.254) 3.066 ms 3.508 ms 4.061 ms 4 61.142.7.17 (61.142.7.17) 21.018 ms 21.446 ms 21.389 ms 5 113.98.5.221 (113.98.5.221) 4.585 ms 113.98.5.217 (113.98.5.217) 6.898 ms 113.98.5.221 (113.98.5.221) 5.993 ms 6 113.98.22.25 (113.98.22.25) 5.033 ms 3.565 ms 113.98.22.33 (113.98.22.33) 10.527 ms 7 * * * 8 113.98.37.37 (113.98.37.37) 27.135 ms 113.98.37.29 (113.98.37.29) 17.216 ms 113.98.37.33 (113.98.37.33) 10.132 ms 9 202.97.66.166 (202.97.66.166) 9.187 ms * 9.839 ms 10 202.97.60.42 (202.97.60.42) 12.112 ms 202.97.91.145 (202.97.91.145) 9.883 ms 9.838 ms 11 202.97.22.122 (202.97.22.122) 159.378 ms 202.97.58.130 (202.97.58.130) 238.142 ms 202.97.27.238 (202.97.27.238) 159.718 ms 12 202.97.50.58 (202.97.50.58) 167.309 ms 177.650 ms 176.709 ms 13 218.30.53.214 (218.30.53.214) 241.310 ms 240.190 ms 239.304 ms 14 104.28.7.65 (104.28.7.65) 199.621 ms 176.317 ms 198.775 ms从中可以看到,从本地到目标主机一共经过了
14-1=13跳 - ping 之
ping -c 4 sachachua.com结果为:
PING sachachua.com (104.28.7.65) 56(84) bytes of data. 64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=1 ttl=51 time=159 ms 64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=2 ttl=51 time=159 ms 64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=3 ttl=51 time=177 ms 64 bytes from 104.28.7.65 (104.28.7.65): icmp_seq=4 ttl=51 time=159 ms --- sachachua.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 159.164/163.926/177.276/7.720 ms最终可以算出,目标主机设置的TTL为
51+13=64 - 查表
下面这张表是不同设备/操作系统默认TTL值的明细表:
Device / OS Version Protocol TTL AIX TCP 60 AIX UDP 30 AIX 3.2, 4.1 ICMP 255 BSDI BSD/OS 3.1 and 4.0 ICMP 255 Compa Tru64 v5.0 ICMP 64 Cisco ICMP 254 DEC Pathworks V5 TCP and UDP 30 Foundry ICMP 64 FreeBSD 2.1R TCP and UDP 64 FreeBSD 3.4, 4.0 ICMP 255 FreeBSD 5 ICMP 64 HP-UX 9.0x TCP and UDP 30 HP-UX 10.01 TCP and UDP 64 HP-UX 10.2 ICMP 255 HP-UX 11 ICMP 255 HP-UX 11 TCP 64 Irix 5.3 TCP and UDP 60 Irix 6.x TCP and UDP 60 Irix 6.5.3, 6.5.8 ICMP 255 juniper ICMP 64 MPE/IX (HP) ICMP 200 Linux 2.0.x kernel ICMP 64 Linux 2.2.14 kernel ICMP 255 Linux 2.4 kernel ICMP 255 Linux Red Hat 9 ICMP and TCP 64 MacOS/MacTCP 2.0.x TCP and UDP 60 MacOS/MacTCP X (10.5.6) ICMP/TCP/UDP 64 NetBSD ICMP 255 Netgear FVG318 ICMP and UDP 64 OpenBSD 2.6 & 2.7 ICMP 255 OpenVMS 07.01.2002 ICMP 255 OS/2 TCP/IP 3.0 64 OSF/1 V3.2A TCP 60 OSF/1 V3.2A UDP 30 Solaris 2.5.1, 2.6, 2.7, 2.8 ICMP 255 Solaris 2.8 TCP 64 Stratus TCP_OS ICMP 255 Stratus TCP_OS (14.2-) TCP and UDP 30 Stratus TCP_OS (14.3+) TCP and UDP 64 Stratus STCP ICMP/TCP/UDP 60 SunOS 4.1.3/4.1.4 TCP and UDP 60 SunOS 5.7 ICMP and TCP 255 Ultrix V4.1/V4.2A TCP 60 Ultrix V4.1/V4.2A UDP 30 Ultrix V4.2 – 4.5 ICMP 255 VMS/Multinet TCP and UDP 64 VMS/TCPware TCP 60 VMS/TCPware UDP 64 VMS/Wollongong 1.1.1.1 TCP 128 VMS/Wollongong 1.1.1.1 UDP 30 VMS/UCX TCP and UDP 128 Windows for Workgroups TCP and UDP 32 Windows 95 TCP and UDP 32 Windows 98 ICMP 32 Windows 98, 98 SE ICMP 128 Windows 98 TCP 128 Windows NT 3.51 TCP and UDP 32 Windows NT 4.0 TCP and UDP 128 Windows NT 4.0 SP5- 32 Windows NT 4.0 SP6+ 128 Windows NT 4 WRKS SP 3, SP 6a ICMP 128 Windows NT 4 Server SP4 ICMP 128 Windows ME ICMP 128 Windows 2000 pro ICMP/TCP/UDP 128 Windows 2000 family ICMP 128 Windows Server 2003 128 Windows XP ICMP/TCP/UDP 128 Windows Vista ICMP/TCP/UDP 128 Windows 7 ICMP/TCP/UDP 128 Windows Server 2008 ICMP/TCP/UDP 128 Windows 10 ICMP/TCP/UDP 128 但其实这张表可以缩减为:
Device / OS TTL *nix (Linux/Unix) 64 Windows 128 Solaris/AIX 254 因此,大概可以推测出
sachachua.com使用的是*nix类操作系统,当然很大可能就是Linux操作系统