6505894 2001-05-15 22:07 -0700 /147 rader/ Ofir Arkin <ofir@sys-security.com> Sänt av: joel@lysator.liu.se Importerad: 2001-05-16 17:49 av Brevbäraren Extern mottagare: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> Mottagare: Bugtraq (import) <17035> Ärende: Fingerprinting Linux Kernel 2.4.x based machines using ICMP (and IPID) ------------------------------------------------------------ From: "Ofir Arkin" <ofir@sys-security.com> To: "Bugtraq List" <BUGTRAQ@SECURITYFOCUS.COM> Message-ID: <IKELJIEDLEAEJHJOBNEKEECKDFAA.ofir@sys-security.com> I am trying to post this again. -----Original Message----- From: Ofir Arkin [mailto:ofir@sys-security.com] Sent: Wednesday, May 09, 2001 7:12 PM To: Bugtraq List Subject: Fingerprinting Linux Kernel 2.4.x based machines using ICMP While playing with Linux Kernel 2.4.2, I have encounter a rather simple operating system fingerprinting method using the ICMP protocol targeting machines based on Linux Kernel 2.4. In the next example 192.168.1.1 is a Linux machine running Kernel 2.2.14, 192.168.1.10 is a Linux machine running Kernel 2.4.2. We are using the 'ping' utility to generate ICMP Echo requests: 17:23:03.623486 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl 64, id 68) 4500 0054 0044 0000 4001 f709 c0a8 0101 c0a8 010a 0800 0600 9808 0000 c734 d93c c582 0900 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 17:23:03.623779 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF) (ttl 255, id 0) 4500 0054 0000 4000 ff01 f84c c0a8 010a c0a8 0101 0000 0e00 9808 0000 c734 d93c c582 0900 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 17:23:04.622911 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl 64, id 69) 4500 0054 0045 0000 4001 f708 c0a8 0101 c0a8 010a 0800 ef01 9808 0100 c834 d93c da80 0900 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 17:23:04.623200 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF) (ttl 255, id 0) 4500 0054 0000 4000 ff01 f84c c0a8 010a c0a8 0101 0000 f701 9808 0100 c834 d93c da80 0900 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 3637 The IP ID with the ICMP Echo replies is 0 and not changing (the DF Bit is set as well). I have tried this with ICMP Timestamp mechanism as well. This time I have used the 'sing' utility to generate the requests (this is why the IP ID in the requests equal to 13170): 17:22:10.119231 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request (ttl 255, id 13170) 4500 0028 3372 0000 ff01 0507 c0a8 0101 c0a8 010a 0d00 041c 9508 0000 0315 56c6 0000 0000 0000 0000 17:22:10.119431 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply (DF) (ttl 255, id 0) 4500 0028 0000 4000 ff01 f878 c0a8 010a c0a8 0101 0e00 42b5 9508 0000 0315 56c6 03b1 5c82 03b1 5c82 0000 0000 0000 17:22:11.112908 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request (ttl 255, id 13170) 4500 0028 3372 0000 ff01 0507 c0a8 0101 c0a8 010a 0d00 ff39 9508 0100 0315 5aa8 0000 0000 0000 0000 17:22:11.113151 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply (DF) (ttl 255, id 0) 4500 0028 0000 4000 ff01 f878 c0a8 010a c0a8 0101 0e00 35fb 9508 0100 0315 5aa8 03b1 606e 03b1 606e d039 0100 d039 Again the IP ID with the replies is 0 (and the DF Bit is set). Even when sending ICMP Echo requests from the machine running Linux Kernel 2.4.2 the IP ID is fixed and equal to 0. The DF Bit is also set: 05/08/01-15:09:59.573546 172.18.2.201 -> 172.18.2.200 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:8741 Seq:0 ECHO 17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F ...:b........... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/08/01-15:09:59.573546 172.18.2.200 -> 172.18.2.201 ICMP TTL:128 TOS:0x0 ID:12812 IpLen:20 DgmLen:84 Type:0 Code:0 ID:8741 Seq:0 ECHO REPLY 17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F ...:b........... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/08/01-15:10:00.573546 172.18.2.201 -> 172.18.2.200 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:8741 Seq:256 ECHO 18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F ...:............ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/08/01-15:10:00.573546 172.18.2.200 -> 172.18.2.201 ICMP TTL:128 TOS:0x0 ID:12813 IpLen:20 DgmLen:84 Type:0 Code:0 ID:8741 Seq:256 ECHO REPLY 18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F ...:............ 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I have downloaded and compiled Kernel 2.4.4 (the latest in the 2.4 series), and observed the same behavior. We can use this operating system fingerprinting method with LINUX Kernel 2.4 passively and actively. Ofir Arkin [ofir@sys-security.com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA (6505894) /Ofir Arkin <ofir@sys-security.com>/(Ombruten)