Linux Computers

Linux Computers
Linux distributions frequently listen on a handful of ports directly
above 1024, and on the linuxconf TCP/98 port
Sun Computers
Sun computers will typically be listening on TCP and UDP port 111 (the
SunRPC ports) although other OS’ also make use of this protocol.
General UNIX Computers
General UNIX like OS’ can be distinguished by the syslog process,
UDP/514, although add-on packages for Windows and other devices
and OS’ will also accept syslog communications.
SYN and FIN Scan Variance
We discussed the use of various flags to scan a remote host stealthily,
and Microsoft’s deviation from the RFC standards. By performing both
SYN (half-open) and FIN scans on a remote host and comparing the
results, we can determine whether the host is RFC compliant (i.e. not
Windows) or whether it follows the behavior Microsoft implemented in
their IP stack
• If the SYN and FIN scans both show ports, and the ports match (or
are at least very similar), then the system is RFC compliant,
therefore it is not Microsoft.

• If the SYN scan shows ports, but the FIN scan does not - then the
stack is behaving outside of the RFC and therefore probably
Microsoft
• If neither SYN nor FIN scans reveal any ports, then the results are
inconclusive
Distorted Results
It should be noted at this point that if an upstream device (e.g. a
Firewall) is based on a Windows platform, the intermediate stack may
distort the results for FIN, XMAS or NULL scans downstream,
depending on the software handling the packet analysis and
forwarding.
Furthermore, many security software products (e.g. Firewalls such as
Axent Raptor) modify or replace the standard Windows IP stack -
rendering some OS identification techniques unreliable.