Previous Section  < Day Day Up >  Next Section

Step 3: Identify the Hosts Present and Perform Passive Operating System Fingerprinting

Of course, not every host on the WLAN (or improperly connected to its Ethernet LAN) will transmit or can be detected by passive sniffing. For automatic discovery of present machines beyond ping <broadcast IP> you can use Ettercap (which uses ARPs for host discovery) or THCrut (which also supports DHCP and ICMP-based LAN host detection):

arhontus:~# ./thcrut

Setting system wide send buffer limit to 1048576 bytes

Usage: thcrut [ thcrut-options ] [ command ] [ command-options-and-arguments ]


 discover        Host discovery and OS fingerprinting

 icmp            ICMP discovery

 dhcp            DHCP discovery

 arp             ARP discovery


 -i <interface>  Network interface [first found]

 -l <n>          Hosts in parallel

 -s <IP>         Source ip of a network device (eth0, eth0:0, ..)

Use -l 100 on LAN and -l 5000 otherwise.

Try thcrut [ command ] -h for command specific options.


# thcrut arp

# thcrut discover -h

# thcrut discover -O

arhontus:~# ./thcrut icmp -h

usage: icmp [options] [IP range] ...

 -P            ICMP echo request (default)

 -A            ICMP Address mask request (default)

 -R            ICMP MCAST Router solicitation request

 -l <n>        Hosts in parallel (200)

Please note that with the discovery option, the fingerprinting implemented is not passive, so we do not discuss it in this section. Interestingly, THCrut was specifically written to discover hosts on unknown WLANs found while wardriving.

What if some of the IP addresses discovered aren't from many hosts, but from one host running multiple virtual servers with different IP addresses? You can find this out by analyzing the Initial Sequence Numbers (ISNs) of TCP packets, IP IDs, or ARP cache entries. A practical way of doing this is to run ISNprober in a group mode (use the -q flag to get a summary result for your LAN):

arhontus:~# ./isnprober

-- ISNprober / 1.02 / Tom Vandepoel ( --


 Single host mode:

 ./isnprober [options] <ip>|<ip:port>

 Compare mode:

 ./isnprober [options] -c <ip1>|<ip1:port1> <ip2>|<ip2:port2>

 Group mode:

 ./isnprober [options] -g <filename>

-v prints version number and exit

-n <iterations>: number of probe iterations [default = 3]

-i <interface>: network interface

-p <default port>: default port to use if port not specified

   [default = 80]

-q: suppress raw output, only display results

-w: timeout to wait for response packet (s) [default = 1]

--ipid: use IP IDs instead of TCP ISNs

--variate-source-port: use a different source port for each packet


(default is to use the same source port for all probes)

Unless you are scanning OpenBSD machines, IP ID sampling is somewhat more reliable than TCP ISN tests.

As to the operating system (OS) fingerprinting, doesn't matter if it is active or passive, there is a golden rule of fingerprinting that states, "Never trust a single OS fingerprinting technique—compare the output from several methods instead." We just made up this rule, but it nevertheless holds true. The tools that perform passive OS fingerprinting include the following:

  • siphon (the first public domain passive fingerprinting tool)

  • p0f

  • disco

  • ST-divine

  • pdump -a

  • passifist

  • Ettercap

Each tool has peculiarities that we leave for you to investigate. Note that purely passive fingerprinting is possible without being associated to the WLAN, including passive fingerprinting performed on the pcap-format dump files with p0f or passifist. For many, determining the OS of hosts without even connecting to the network and from a significant distance might still sound like science fiction, but it is more like a Wi-Fi reality.

    Previous Section  < Day Day Up >  Next Section