The TTL (Time-To-Live) and TCP window size are commonly used values for passive OS fingerprinting. Different operating systems set default values for these fields in IP and TCP headers.
From CEH v13 Official Courseware and tools like Nmap and Netcraft:
A TTL of 64 and TCP window size of 5840 is a strong indicator of a Linux-based operating system.
This combination is one of the signature responses used in tools such as Nmap and p0f to fingerprint OS remotely.
Here’s a general reference table:
OS
Default TTL
TCP Window Size
Windows
128
8192/65535
Linux
64
5840
Solaris
255
8760
Mac OS
64
65535
Therefore, TTL: 64 + Window Size: 5840 = Linux OS
Incorrect Options:
A. Solaris typically has a TTL of 255 and a different window size.
B. Windows defaults to TTL 128.
C. Mac OS uses TTL 64 but has a window size of 65535.
Reference – CEH v13 Official Courseware:
Module 03: Scanning Networks
Section: “OS Detection Using TTL and TCP Window Size”
Tools: Nmap OS Fingerprinting, Xprobe2
CEH iLab: OS Fingerprinting with TCP/IP Stack Behavior
===========
Submit