How does Holm Security detect the operating system of the host scanned?

In every network there will always be information embedded in the packets that are being transferred. When sending requests to a certain port, these packets will receive a response in the form of a digital signature, inside these signatures lays one of the keys to determine what sort of operating system is running. This method of collecting information is called TCP fingerprinting or TCP stack fingerprinting.

Because there are different vulnerabilities for different types of operating systems, this method is also frequently used by an attacker to gather information and determine what sort of approach they will use to exploit your network.

In the beginning when performing a scan, during the discovery phase, Holm Security's scanning engine will send customized packets to different ports and compare the digital signature to our database of known operating systems for a match.

Below is the different protocols Holm Security uses to identify operating systems: 

  • DNS
  • FTP
  • HNAP
  • NMAP
  • NNTP
  • NTP
  • PPTP
  • RTSP
  • SIP
  • SNMP
  • SSH
  • UPNP
  • HTTP
  • MAIL

In addition to this technique, Holm Security also examines the banner of the host and looks for matches in our database to try and refine the details. 

The information exposed in a digital signature may vary for different versions and manufacturers and it can only be fully reliably via authentication scans, therefore, the details of the information might also vary.


Have more questions? Submit a request


Please sign in to leave a comment.