原理：

通常对目标主机进行ping操作后，依据其返回的TTL值对系统类型进行判断，windows系统的TTL起始值为128，linux系统的TTL起始值为64，且每经过一跳路由，TTL值减1。

root@kali:~/code/chap4/4.2.6# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=128 time=2.71 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=128 time=2.06 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=128 time=5.94 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2023ms
rtt min/avg/max/mdev = 2.055/3.568/5.940/1.698 ms
root@kali:~/code/chap4/4.2.6# 

本机ping，本机为kali系统。
root@kali:~/code/chap4/4.2.6# ping 192.168.142.131
PING 192.168.142.131 (192.168.142.131) 56(84) bytes of data.
64 bytes from 192.168.142.131: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 192.168.142.131: icmp_seq=2 ttl=64 time=0.063 ms
64 bytes from 192.168.142.131: icmp_seq=3 ttl=64 time=0.056 ms
64 bytes from 192.168.142.131: icmp_seq=4 ttl=64 time=0.057 ms
64 bytes from 192.168.142.131: icmp_seq=5 ttl=64 time=0.185 ms
64 bytes from 192.168.142.131: icmp_seq=6 ttl=64 time=0.057 ms
^C
--- 192.168.142.131 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5119ms
rtt min/avg/max/mdev = 0.022/0.073/0.185/0.051 ms
root@kali:~/code/chap4/4.2.6#

 

执行代码：
root@kali:~/code/chap4/4.2.6# python3 sys_host.py -i 192.168.1.1
192.168.1.1 is Windwows

 

 sys_host.py

 1 #!/usr/bin/python3.7
 2 #!coding:utf-8
 3 from optparse import OptionParser
 4 import os
 5 import re
 6 
 7 def ttl_scan(ip):
 8     ttlstrmatch = re.compile(r'ttl=\d+')
 9     ttlnummatch = re.compile(r'\d+')
10     result = os.popen("ping -c 1 "+ip)
11     res = result.read()
12     for line in res.splitlines():
13         result = ttlstrmatch.findall(line)
14         if result:
15             ttl = ttlnummatch.findall(result[0])
16             if int(ttl[0]) <= 64:  # 判断目标主机响应包中TTL值是否小于等于64
17                 print("%s  is Linux/Unix"%ip)  # 是的话就为linux/Unix
18             else:
19                 print("%s is Windwows"%ip)  # 反之就是linux
20         else:
21             pass
22 
23 def main():
24     parser = OptionParser("Usage:%prog -i <target host> ")   # 输出帮助信息
25     parser.add_option('-i',type='string',dest='IP',help='specify target host')   # 获取ip地址参数
26     options,args = parser.parse_args()
27     ip = options.IP
28     ttl_scan(ip)
29 
30 if __name__ == "__main__":
31     main()