# NATDet - signatures # Copyright (c) M. Ulikowski # Entry format: # WWWWW:TTT:D:LL:OSGENRE # WWWWW - Window size, strongly OS dependent (0-65535) # TTT - Initial Time-To-Live (32, 64, 128 or 255) # D - Don't fragment flag (1 - set, 0 - not set) # LL - Overall SYN packet size (<=64; 0 - irrelevant) 08192:128:1:48:Windows7/Vista 08192:128:1:52:Windows7/Vista M*044:128:1:48:WindowsXP/2k M*044:128:0:48:WindowsXP/2k M*044:128:1:64:WindowsXP/2k M*006:128:1:44:WindowsXP/2k 16384:128:1:48:WindowsXP/2k 16384:128:0:48:WindowsXP/2k 32768:128:1:48:WindowsXP/2k 32768:128:0:48:WindowsXP/2k 64512:128:1:48:WindowsXP/2k 64512:128:0:48:WindowsXP/2k 64512:128:0:44:WindowsXP/2k 65535:128:1:44:WindowsXP/2k 65535:128:1:48:WindowsXP/2k 65535:128:0:48:WindowsXP/2k 65535:128:1:52:WindowsXP/2k 65535:128:0:64:WindowsXP/2k 25200:128:1:48:WindowsXP/2k 16944:128:1:64:WindowsXP/2k 16944:128:1:48:WindowsXP/2k 32767:128:1:48:WindowsXP/2k 62944:128:1:52:WindowsXP/2k 65340:128:1:48:WindowsXP/2k 65280:128:1:48:WindowsXP/2k 64800:128:1:48:WindowsXP/2k 16430:128:1:60:Windows9x 32801:128:0:48:Windows9x 08576:128:0:48:Windows9x 08192:032:1:48:Windows9x 08192:064:1:48:Windows9x 32767:128:1:52:Windows9x 60352:128:1:64:Windows9x 60352:128:1:48:Windows9x 08760:128:1:44:Windows9x 08760:128:1:48:Windows9x 08472:128:1:52:Windows9x 08472:128:1:40:Windows9x 32801:032:1:64:Windows9x M*003:064:1:60:Linux2.4-2.6 M*003:064:0:60:Linux2.4-2.6 M*004:064:1:60:Linux2.4-2.6 M*004:064:0:60:Linux2.4-2.6 M*004:064:1:52:Linux2.4-2.6 32767:064:1:60:Linux2.4-2.6 05792:064:1:60:Linux2.4-2.6 05792:064:0:60:Linux2.4-2.6 05752:064:1:60:Linux2.4 08100:064:1:60:Linux2.4 05808:064:1:60:Linux2.4 04848:064:1:60:Linux2.4 05760:064:1:60:Linux2.4 04812:064:1:60:Linux2.4 06432:064:1:60:Linux2.4 07504:064:1:60:Linux2.4 08576:064:1:60:Linux2.4 05592:064:1:60:Linux2.4 M*011:064:1:60:Linux2.2 M*020:064:1:60:Linux2.2 M*022:064:1:60:Linux2.2 M*022:064:0:60:Linux2.2 31072:064:1:60:Linux2.2 15536:064:1:60:Linux2.2 15536:064:0:60:Linux2.2 32320:064:1:60:Linux2.2 32476:064:1:60:Linux2.2 32476:064:0:60:Linux2.2 32476:064:1:52:Linux2.2 32200:064:1:60:Linux2.2 32200:064:1:52:Linux2.2 31064:064:1:60:Linux2.2 15532:064:1:60:Linux2.2 15532:064:0:60:Linux2.2 32736:064:0:44:Linux2.0 57407:064:0:44:Linux2.0 16384:064:0:44:Linux2.0 16352:064:0:44:Linux2.0 00512:064:0:44:Linux2.0 32768:255:1:48:MacOS 65535:064:1:52:MacOS 65535:064:1:40:MacOS 32768:064:1:60:FreeBSD 65535:064:1:64:FreeBSD 65535:064:1:60:FreeBSD 65535:064:1:44:FreeBSD 65535:064:0:44:FreeBSD 32900:064:1:60:FreeBSD 32899:064:0:60:FreeBSD 57400:064:1:60:FreeBSD 57400:064:1:44:FreeBSD 57344:064:1:60:FreeBSD 57344:064:1:44:FreeBSD 57344:064:0:44:FreeBSD 33600:064:1:60:FreeBSD 65535:064:0:60:FreeBSD 16944:064:1:60:FreeBSD 16944:064:1:44:FreeBSD 01024:064:1:44:FreeBSD 01024:064:1:60:FreeBSD 17520:064:1:44:FreeBSD 17520:064:0:44:FreeBSD 17520:064:0:52:FreeBSD 17376:064:1:44:FreeBSD 16384:064:1:44:FreeBSD 16430:064:1:44:FreeBSD 57344:064:1:64:OpenBSD 16445:064:1:64:OpenBSD 16384:064:1:64:OpenBSD 16384:064:0:64:OpenBSD 16384:064:1:60:OpenBSD 32768:064:0:60:NetBSD 16384:064:0:60:NetBSD 08760:255:1:44:Solaris 01412:255:1:60:Solaris 00536:255:1:44:Solaris 00265:255:1:60:Solaris 25200:064:1:64:Solaris 25200:064:1:48:Solaris 25000:064:1:64:Solaris 25000:064:1:48:Solaris 24656:064:1:44:Solaris 24794:064:1:64:Solaris 24794:064:1:48:Solaris 24820:064:1:48:Solaris 24616:064:0:60:Solaris 24616:064:0:56:Solaris 24616:064:0:52:Solaris 32850:064:1:64:Solaris 04128:255:0:44:Cisco/IOS M*008:255:0:44:Cisco/IOS M*004:255:0:44:Cisco/IOS # NMap signatures are reported as Unknown # Every TCP scan would cause fake warning 01024:064:0:40:Unknown 01024:064:0:44:Unknown 01024:064:0:60:Unknown 02048:064:0:40:Unknown 02048:064:0:44:Unknown 02048:064:0:60:Unknown 03072:064:0:40:Unknown 03072:064:0:44:Unknown 03072:064:0:60:Unknown 04096:064:0:40:Unknown 04096:064:0:44:Unknown 04096:064:0:60:Unknown # hardware routers and other stuff 08192:128:0:44:Linksys 05840:255:0:44:D-Link