CAPEC-313 - Passive OS Fingerprinting

An attacker engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods it is more stealthy.






  • Scopes 2
  • "Varies by context"
  • Confidentiality
  • Hide activities
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • Confidentiality

The ability to send and receive packets from a remote target, or the ability to passively monitor network communications.

Installing a listener on the network requires access to at least one host, and the privileges to interface with the network device.