telling Windows from Linux (via network)

Question

I am doing a research on how someone can detect whether another machine is running Windows or Linux, if it runs inside a virutal machine, if it's behind NAT\proxy\VPN and what not. I saw some interesting tools like p0f, which does passive detection. Basically, I know there are implementation differences in TCP and other underlying protocols, not to mention application level stuff that exist on Windows and not Linux, but I can't find any, and worse still, I really do not know what terms to look for in Google.

Do you have links or tutorials explaining what to detect to differentiate Linux and Windows?

Answer 1

here - http://nmap.org/book/osdetect.html

Answer 2

This is not a subject about which I have a great depth of knowledge but try looking for "TCP stack fingerprinting" and also have a look at nmap's source code. I believe nmap is capable of using stack fingerprinting which involves testing for differences in TCP implementation in order to attempt to determine the environment on a host.

I've not used nmap to any great extent so I can't vouch for the quality or accuracy of it's implementation, but source code is available.

For the web, the differences between web browsers are fairly extensively documented. One example of a difference between browsers is the way in which an XmlHttpRequest object is created. By trying to instantiate an XmLHttpObject in different ways and testing which ones succeed, you may be able to determine the browser or JavaScript engine running the code.

Answer 3

It's all been done before. How about starting with nmap?

Answer 4

Nmap -O is great for detecting systems operating systems by probing.

p0f is another tool that can be set in listener mode, and detects the operating system on systems that make connections to you.