Operating Systems can be detected using Ping Command, Ping is a computer network administration software utility, used to find the Availability of a host on an Internet Protocol (IP) network.
Ping operates by sending Internet Control Message Protocol (ICMP) Echo Request packets to the target host and waiting for an ICMP Echo Reply.
TTL is simply meant, how long a resolver is supposed to cache the DNS query before the query expires and a new one needs to be done.
These TTL values differ between the Operating system. Here you find the TTL value for the Range of servers. Reference subinsb.
Device / OS | Version | Protocol | TTL |
AIX | TCP | 60 | |
AIX | UDP | 30 | |
AIX | 3.2, 4.1 | ICMP | 255 |
BSDI | BSD/OS 3.1 and 4.0 | ICMP | 255 |
Compa | Tru64 v5.0 | ICMP | 64 |
Cisco | ICMP | 254 | |
DEC Pathworks | V5 | TCP and UDP | 30 |
Foundry | ICMP | 64 | |
FreeBSD | 2.1R | TCP and UDP | 64 |
FreeBSD | 3.4, 4.0 | ICMP | 255 |
FreeBSD | 5 | ICMP | 64 |
HP-UX | 9.0x | TCP and UDP | 30 |
HP-UX | 10.01 | TCP and UDP | 64 |
HP-UX | 10.2 | ICMP | 255 |
HP-UX | 11 | ICMP | 255 |
HP-UX | 11 | TCP | 64 |
Irix | 5.3 | TCP and UDP | 60 |
Irix | 6.x | TCP and UDP | 60 |
Irix | 6.5.3, 6.5.8 | ICMP | 255 |
juniper | ICMP | 64 | |
MPE/IX (HP) | ICMP | 200 | |
Linux | 2.0.x kernel | ICMP | 64 |
Linux | 2.2.14 kernel | ICMP | 255 |
Linux | 2.4 kernel | ICMP | 255 |
Linux | Red Hat 9 | ICMP and TCP | 64 |
MacOS/MacTCP | 2.0.x | TCP and UDP | 60 |
MacOS/MacTCP | X (10.5.6) | ICMP/TCP/UDP | 64 |
NetBSD | ICMP | 255 | |
Netgear FVG318 | ICMP and UDP | 64 | |
OpenBSD | 2.6 & 2.7 | ICMP | 255 |
OpenVMS | 07.01.2002 | ICMP | 255 |
OS/2 | TCP/IP 3.0 | 64 | |
OSF/1 | V3.2A | TCP | 60 |
OSF/1 | V3.2A | UDP | 30 |
Solaris | 2.5.1, 2.6, 2.7, 2.8 | ICMP | 255 |
Solaris | 2.8 | TCP | 64 |
Stratus | TCP_OS | ICMP | 255 |
Stratus | TCP_OS (14.2-) | TCP and UDP | 30 |
Stratus | TCP_OS (14.3+) | TCP and UDP | 64 |
Stratus | STCP | ICMP/TCP/UDP | 60 |
SunOS | 4.1.3/4.1.4 | TCP and UDP | 60 |
SunOS | 5.7 | ICMP and TCP | 255 |
Ultrix | V4.1/V4.2A | TCP | 60 |
Ultrix | V4.1/V4.2A | UDP | 30 |
Ultrix | V4.2 – 4.5 | ICMP | 255 |
VMS/Multinet | TCP and UDP | 64 | |
VMS/TCPware | TCP | 60 | |
VMS/TCPware | UDP | 64 | |
VMS/Wollongong | 1.1.1.1 | TCP | 128 |
VMS/Wollongong | 1.1.1.1 | UDP | 30 |
VMS/UCX | TCP and UDP | 128 | |
Windows | for Workgroups | TCP and UDP | 32 |
Windows | 95 | TCP and UDP | 32 |
Windows | 98 | ICMP | 32 |
Windows | 98, 98 SE | ICMP | 128 |
Windows | 98 | TCP | 128 |
Windows | NT 3.51 | TCP and UDP | 32 |
Windows | NT 4.0 | TCP and UDP | 128 |
Windows | NT 4.0 SP5- | 32 | |
Windows | NT 4.0 SP6+ | 128 | |
Windows | NT 4 WRKS SP 3, SP 6a | ICMP | 128 |
Windows | NT 4 Server SP4 | ICMP | 128 |
Windows | ME | ICMP | 128 |
Windows | 2000 pro | ICMP/TCP/UDP | 128 |
Windows | 2000 family | ICMP | 128 |
Windows | Server 2003 | 128 | |
Windows | XP | ICMP/TCP/UDP | 128 |
Windows | Vista | ICMP/TCP/UDP | 128 |
Windows | 7 | ICMP/TCP/UDP | 128 |
Windows | Server 2008 | ICMP/TCP/UDP | 128 |
Windows | 10 | ICMP/TCP/UDP | 128 |
We should run the traceroute command first to determine the hops between the Target and the destination.
tracert gbhackers.com
Total number of hops = 11
Now Ping the Domain ping gbhackers.com
TTL value is TTL=53, By making the Sum of the TTL value and the number of hops we can define the operating system (53 + 11 = 64), and we can conclude that there is a Linux Machine Running.
This is how Operating Systems can be detected using Ping Command.
You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity and Hacking New updates.
Microsoft has disclosed a significant security vulnerability (CVE-2025-30400) affecting the Windows Desktop Window Manager (DWM)…
Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across its…
Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across several…
A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products, including…
The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in ransomware…
Penetration testing is still essential for upholding strong security procedures in a time when cybersecurity…
View Comments
traceroute -16 & ping ttl -54 for me explain the os
Thank you for your comment. Suggested method will work only if default TTL value was not Changed. Also this method fail if Datacenter routing traffic to a different subnet. Nowadays more advanced tools available for OS detection... But almost every tool will fail if Banner grabbing done in server end..
Bro, this is Krishna (OTG Hackers). Please help m eyaar. I am still waiting..
common man TTL please have a basic understanding of networking please!!TTL means "time to live". It is a value on an ICMP packet that prevents that packet from propagating back and forth between hosts ad infinitum. Each router that touches the packet decrements the TTL. If the TTL ever reaches zero, the packet is discarded. It's also a measure of how many hops the packet took. If the TTL value started at, say, 128 and you see a value of 28, then there were 100 hops between the system where the packet originated and the final destination. My guess is that the initial TTL for the ping packets was 255, so the first ping traversal took 200 hops and the second took 9.
kudos!
From TTL of 64, you blindly conclude it’s Linux? This is BS article lol