: Safemode.org / Sprint OS fingerprint :

Introduction:
-------------
Sprint is a simple TCP fingerprinting tool that can be used to
remotely identify what operating system a host is running.  Next
to this functionality sprint has also the ability to calculate
uptimes and contains advanced banner grepping functionality.  In
fact, if you run sprint with the -n switch it will similate netcraft
I bothered to write sprint because I wanted a low profile fingerprint
tool that can interact with the hosts that are enumerated. 
The operating system guessing is done by using the window size, dont
fragment bit and TTL value's found in the SYN/ACK packet of the
target host. How this works is described here:
http://project.honeynet.org/papers/finger/
The uptime guessing is done by using the timestamp value of the TCP 
header options. Because not all operating systems have TCP options 
enabled, uptime guessing is not always available. 
Syphon and p0f provide almost similar functionality as this tool.
Tough sprint has extra/different functionality such as active
fingerprinting, load balancer detection (-a) and banner grabbing.
If you want really accurate fingerprinting and don't care about being
detected, then forget about sprint and download nmap. 
Note that Sprint isn't stable yet so please submit errors and
patches to me.
How it works:
-------------
In active mode: Sprint makes a normal connection to the host and
optionally sends or receives data. During the connection sprint
will analyze the SYN/ACK packet that was send by the target.
In passive mode: Sprint listens on the line and analyzes all SYN/ACK
packets. 
Download:
----------
The Sprint package can be downloaded here (latest is 0.4.1):
http://www.safemode.org/sprint/packages/
Example usage modes:
--------------------
bash-2.05b# ./sprint -t www.example.com
* --- -- -- Sprint 0.4
Remote system guess   : Linux 2.4.?  (192.0.34.166)
bash-2.05b# ./sprint -vt www.example.com
* --- -- -- Sprint 0.4
Remote system guess   : Linux 2.4.?  (192.0.34.166:80)
Remote uptime guess   : 6 days, 23 hours, 26 minutes, 41 seconds.
bash-2.05b# ./sprint -nvt www.example.com
* --- -- -- Sprint 0.4
Remote system guess   : Linux 2.4.?  (192.0.34.166:80)
Remote uptime guess   : 6 days, 23 hours, 27 minutes, 44 seconds.
Server: Apache/1.3.27 (Unix)  (Red-Hat/Linux)
bash-2.05b# ./sprint -vt www.twente.nl -p 25 -g 220
* --- -- -- Sprint 0.4
Remote system guess   : Linux 2.4.?  (217.114.97.7:25)
Remote uptime guess   : 303 days, 21 hours, 26 minutes, 39 seconds.
220 services5.virtu.nl ESMTP Exim 3.12 #1 Fri, 07 
bash-2.05b# 
bash-2.05b# ./sprint -vt www.paypal.com -a 6
* --- -- -- Sprint 0.4
Remote system guess   : Linux 2.4.?  (65.206.229.16:80)
Remote uptime guess   : 76 days, 20 hours, 42 minutes, 4 seconds.
Remote system guess   : Linux 2.4.?  (65.206.229.16:80)
Remote uptime guess   : 83 days, 23 hours, 27 minutes, 44 seconds.
Remote system guess   : Linux 2.4.?  (65.206.229.16:80)
Remote uptime guess   : 80 days, 7 hours, 14 minutes, 15 seconds.
Remote system guess   : Linux 2.4.?  (65.206.229.16:80)
Remote uptime guess   : 267 days, 2 hours, 46 minutes, 6 seconds.
Remote system guess   : Linux 2.4.?  (65.206.229.16:80)
Remote uptime guess   : 78 days, 12 hours, 21 minutes, 53 seconds.
Remote system guess   : Linux 2.4.?  (65.206.229.16:80)
Remote uptime guess   : 267 days, 0 hours, 54 minutes, 2 seconds.
SafeMode.Org