> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OS Fingerprinting

> OS fingerprinting techniques: TTL analysis, Nmap detection, p0f passive fingerprinting, and banner grabbing.

## Active — Nmap

```bash theme={"dark"}
nmap -O TARGET
nmap -O --osscan-guess TARGET
nmap -A TARGET                       # OS + version + scripts
```

***

## TTL Analysis

| OS            | Default TTL |
| ------------- | ----------- |
| Linux         | 64          |
| Windows       | 128         |
| Cisco/Network | 255         |
| Solaris       | 255         |

```bash theme={"dark"}
ping -c 1 TARGET | grep ttl
```

TTL 64 → likely Linux. TTL 128 → likely Windows.

***

## Passive — p0f

```bash theme={"dark"}
p0f -i eth0
p0f -i eth0 -o output.txt
p0f -r capture.pcap
```

Identifies OS from TCP SYN packets without sending traffic.

***

## Banner Grabbing

```bash theme={"dark"}
nc -nv TARGET 22
nmap -sV -p 22 TARGET
curl -I http://TARGET
```

### Telnet

```bash theme={"dark"}
telnet TARGET 80
HEAD / HTTP/1.1
Host: TARGET
```

***

## Nmap Scripts

```bash theme={"dark"}
nmap --script=smb-os-discovery TARGET
nmap -p 445 --script=smb-os-discovery TARGET
```

***

## Quick Reference

| Method      | Command                                 |
| ----------- | --------------------------------------- |
| Active OS   | `nmap -O TARGET`                        |
| TTL check   | `ping -c 1 TARGET`                      |
| Passive     | `p0f -i eth0`                           |
| Banner grab | `nc -nv TARGET PORT`                    |
| SMB OS      | `nmap --script=smb-os-discovery TARGET` |
