telling Windows from Linux (via network)

Question

I am doing a research on how someone can detect whether another machine is running Windows or Linux, if it runs inside a virutal machine, if it's behind NAT\proxy\VPN and what not. I saw some interesting tools like p0f, which does passive detection. Basically, I know there are implementation differences in TCP and other underlying protocols, not to mention application level stuff that exist on Windows and not Linux, but I can't find any, and worse still, I really do not know what terms to look for in Google.

Do you have links or tutorials explaining what to detect to differentiate Linux and Windows?

Answer 1

It's all been done before. How about starting with nmap?

Answer 2

This is not a subject about which I have a great depth of knowledge but try looking for "TCP stack fingerprinting" and also have a look at nmap's source code. I believe nmap is capable of using stack fingerprinting which involves testing for differences in TCP implementation in order to attempt to determine the environment on a host.

I've not used nmap to any great extent so I can't vouch for the quality or accuracy of it's implementation, but source code is available.

For the web, the differences between web browsers are fairly extensively documented. One example of a difference between browsers is the way in which an XmlHttpRequest object is created. By trying to instantiate an XmLHttpObject in different ways and testing which ones succeed, you may be able to determine the browser or JavaScript engine running the code.

Answer 3

here - http://nmap.org/book/osdetect.html