Common TTL (Time to Live) Values by OS

The TTL value in a ping command can be used to make an educated guess about the operating system of a remote host. While these values can be modified by network configurations, they serve as useful default indicators.

Operating System	Default TTL Value
Windows (All versions)	128
Linux (Default)	64
macOS / iOS	64
Android	64
Solaris / AIX	255
Cisco Routers	255
FreeBSD / Unix (BSD)	255

Notes:

TTL specifies the maximum number of hops (routers) a packet can pass through before being discarded. This prevents infinite loops.
Default values are set by the OS manufacturer but can be customized by administrators.

Using the `ping` Command to Guess OS

1. Windows OS

Default TTL: 128
Example:

Reply from 192.168.1.10: bytes=32 time<1ms TTL=128

2. Linux / Unix / macOS

Default TTL: 64
Example:

64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=0.045 ms

3. Cisco Routers / Network Infrastructure

Default TTL: 255
Example:

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Important Considerations

While TTL is a great clue, keep the following in mind:

TTL Decrements: Every router a packet passes through subtracts 1 from the TTL. If you ping a Linux server (64) and it passes through 10 routers, you will see TTL=54.
Obfuscation: Some security-conscious admins change default TTLs to hide the OS from potential attackers.
Ambiguity: Since Linux and macOS share the same default (64), you cannot distinguish between them using TTL alone.

Conclusion

TTL is best used as one part of the puzzle, especially when combined with other methods like traceroute or banner grabbing for more accurate identification.

Common TTL (Time to Live) Values by OS

Using the ping Command to Guess OS

1. Windows OS

2. Linux / Unix / macOS

3. Cisco Routers / Network Infrastructure

Important Considerations

Conclusion

Using the `ping` Command to Guess OS