Reference: Naveed Afzal, “Host fingerprinting and firewalking with hping,” APEC GIKI, 2005.

* TCP

(1) SYN

hping -S -p [port #] -c [# of repetitions] [target]

Open: SA
Closed: RA
Filtered: No response

(2) FIN

hping -F -p [port #] -c [# of repetitions] [target]

Open: RA
Closed: RA
Filtered: No response

* UDP

(1) Zero size packet

hping -2 -p [port #] -c [# of repetitions] [target]

Open/Filtered: No respoonse
Closed: ICMP Unrechable

Disadv.: Zero size packets are usually filtered by outgoing firewalls.

(2) Enter promiscuous mode, then

hping -2 -p [port #] -d [payload size] -E [payload file] [target]

Open: Response
Closed/Filtered: No response
Adv.: Bypass firewalls

* Active OS Fingerprinting

– Features: Timestamp, IPID, ISN, TOS, Framgment Handling, TTL of ICMP echo request.

(1) TTL of ICMP
Get the # of hops, h, from here to the target, then get the TTL value, p, of
ping. Compute h+p. In case of windows, h+p is multiple of 128.

traceroute [target]
ping [target]

(2) Time between SA
Send SYN packet to the target, and ignore SYN ACK sent by the target. Then , target tries to send SYN ACK again and again. The time intervals between consecutive SYN ACK is the fingerprint of target.

hping -S -p [port #] -c 1 [target]

FreeBSD’s interval: 3, 6, 12, and 24.
Windows: 2, 4, 6, 8, and 10.

CAVEAT: Don’t scan any servers. People like me setup well designed firewalls which generally detect all kinds of invalid communications like the ones shown above, not to metion the fact scanning is illegal.