CAPEC-311 - OS Fingerprinting

An adversary engages in fingerprinting activities to determine the type or version of the operating system of the remote target. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol, the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

Fingerprinting remote operating systems involves taking an "active" or a "passive" approach. Active approaches to fingerprinting involve sending data packets that break the logical or semantic rules of a protocol and observing operating system response to artificial inputs. Passive approaches involve listening to the communication of one or more nodes and identifying the operating system or firmware of the devices involved based on the structure of their messages.






  • Scopes 2
  • "Varies by context"
  • Confidentiality
  • Hide activities
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • Confidentiality


Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication.