6505894 2001-05-15 22:07 -0700  /147 rader/ Ofir Arkin <ofir@sys-security.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-16  17:49  av Brevbäraren
Extern mottagare: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
Mottagare: Bugtraq (import) <17035>
Ärende: Fingerprinting Linux Kernel 2.4.x based machines using ICMP (and IPID)
------------------------------------------------------------
From: "Ofir Arkin" <ofir@sys-security.com>
To: "Bugtraq List" <BUGTRAQ@SECURITYFOCUS.COM>
Message-ID: <IKELJIEDLEAEJHJOBNEKEECKDFAA.ofir@sys-security.com>

I am trying to post this again.

-----Original Message-----
From: Ofir Arkin [mailto:ofir@sys-security.com]
Sent: Wednesday, May 09, 2001 7:12 PM
To: Bugtraq List
Subject: Fingerprinting Linux Kernel 2.4.x based machines using ICMP


While playing with Linux Kernel 2.4.2, I have encounter a rather
simple operating system fingerprinting method using the ICMP protocol
targeting machines based on Linux Kernel 2.4.

In the next example 192.168.1.1 is a Linux machine running Kernel
2.2.14, 192.168.1.10 is a Linux machine running Kernel 2.4.2. We are
using the 'ping' utility to generate ICMP Echo requests:


17:23:03.623486 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
64, id 68)
			 4500 0054 0044 0000 4001 f709 c0a8 0101
			 c0a8 010a 0800 0600 9808 0000 c734 d93c
			 c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637
17:23:03.623779 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
(ttl 255, id 0)
			 4500 0054 0000 4000 ff01 f84c c0a8 010a
			 c0a8 0101 0000 0e00 9808 0000 c734 d93c
			 c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637
17:23:04.622911 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
64, id 69)
			 4500 0054 0045 0000 4001 f708 c0a8 0101
			 c0a8 010a 0800 ef01 9808 0100 c834 d93c
			 da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637
17:23:04.623200 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
(ttl 255, id 0)
			 4500 0054 0000 4000 ff01 f84c c0a8 010a
			 c0a8 0101 0000 f701 9808 0100 c834 d93c
			 da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637

The IP ID with the ICMP Echo replies is 0 and not changing (the DF
Bit is set as well).


I have tried this with ICMP Timestamp mechanism as well. This time I
have used the 'sing' utility to generate the requests (this is why
the IP ID in the requests equal to 13170):

17:22:10.119231 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
(ttl 255, id 13170)
			 4500 0028 3372 0000 ff01 0507 c0a8 0101
			 c0a8 010a 0d00 041c 9508 0000 0315 56c6
			 0000 0000 0000 0000
17:22:10.119431 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
(DF) (ttl 255, id 0)
			 4500 0028 0000 4000 ff01 f878 c0a8 010a
			 c0a8 0101 0e00 42b5 9508 0000 0315 56c6
			 03b1 5c82 03b1 5c82 0000 0000 0000
17:22:11.112908 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
(ttl 255, id 13170)
			 4500 0028 3372 0000 ff01 0507 c0a8 0101
			 c0a8 010a 0d00 ff39 9508 0100 0315 5aa8
			 0000 0000 0000 0000
17:22:11.113151 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
(DF) (ttl 255, id 0)
			 4500 0028 0000 4000 ff01 f878 c0a8 010a
			 c0a8 0101 0e00 35fb 9508 0100 0315 5aa8
			 03b1 606e 03b1 606e d039 0100 d039


Again the IP ID with the replies is 0 (and the DF Bit is set).


Even when sending ICMP Echo requests from the machine running Linux
Kernel 2.4.2 the IP ID is fixed and equal to 0. The DF Bit is also
set:

05/08/01-15:09:59.573546 172.18.2.201 -> 172.18.2.200
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:8741   Seq:0  ECHO
17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:b...........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/08/01-15:09:59.573546 172.18.2.200 -> 172.18.2.201
ICMP TTL:128 TOS:0x0 ID:12812 IpLen:20 DgmLen:84
Type:0  Code:0  ID:8741  Seq:0  ECHO REPLY
17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:b...........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/08/01-15:10:00.573546 172.18.2.201 -> 172.18.2.200
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:8741   Seq:256  ECHO
18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/08/01-15:10:00.573546 172.18.2.200 -> 172.18.2.201
ICMP TTL:128 TOS:0x0 ID:12813 IpLen:20 DgmLen:84
Type:0  Code:0  ID:8741  Seq:256  ECHO REPLY
18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


I have downloaded and compiled Kernel 2.4.4 (the latest in the 2.4
series), and observed the same behavior.

We can use this operating system fingerprinting method with LINUX
Kernel 2.4 passively and actively.



Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
(6505894) /Ofir Arkin <ofir@sys-security.com>/(Ombruten)