We know some tools and techniques to remote OS detection via TCP/IP Stack FingerPrinting: nmap, Queso, p0f,… These tools use advanced techniques to identify the OS of a remote system and they are really good. But sometimes we can use an easier method to identify the OS (only the OS: Linux, Windows,… not the version: XP, Vista, 2K, Debian, RedHat….) and only in our local network.

A few days ago, I was developing a bash script to create directories with non-alphanumeric characters, to test the behaviour of Panda technologies with these non-usual directory names. Linux allow directory and file names with characters not allowed in Windows. If we try to use some  of these characters (*, ?, “) as a folder or file name in WIndows, we will get an error message:

But Linux allows some of them:

What happen if we have a shared folder in a Linux system (via Samba) and we map this as a network drive in our Windows? With explorer, cmd or cygwin shell it’s not possible to create  a directory or a file with these characters, even using its hex value with the following cygwin shell command:

$ mkdir `printf “x2a”` (0x2a = *)
mkdir: cannot create directory `*’: No such file or directory

 We get an error message. It’s not possible.

Ok, let’s try with other characters. What about x01,x02,x03…? We know Linux allows these, so what will happen if we execute the following command in a Linux-shared folder from my Windows system?:

$ mkdir `printf “x01″`

Let’s try it. From my Windows system:

  • We map two shared folders as network drives , one shared with Windows and the other with Linux (with Samba).
  • Go into these new drives (with cygwin shell) and try the previous mkdir command.

Yes!!!! The folder is created in the Linux drive, but not in the Windows one.
This way, we have “fingerprinted” the remote OS in a very easy way.