[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fingerprinting Linux Kernel 2.4.x based machines using ICMP (fwd)

To: silug-discuss@silug.org
Subject: Fingerprinting Linux Kernel 2.4.x based machines using ICMP (fwd)
From: Tighe <emry@accessus.net>
Date: Wed, 9 May 2001 15:49:56 -0500 (CDT)
Organization: Southern Illinois Linux Users Group
Reply-To: silug-discuss@silug.org
Sender: owner-silug-discuss@silug.org
Just a look for anyone who is pretty deep into security or just curious
and learning.  OS fingerprinting is a fun little tool, but can give away
some valuble info about your system.  :)

TIghe


-- 
Tighe Schlottog		Sys Admin at large	  /emry\"@"/accessus.net\
                             ook ook
"Mr. Wizard, I think I'd rather be a coot than a hacker. Yeah, sure, every
now and then a giant pink-haired ape would come running after me and 
chase me into the lake, but really, could it be that much worse? I'd have
a tiny little brain and wouldn't be expected to worry about anything." 
						-jwz from www.jwz.org

---------- Forwarded message ----------
Date: Wed, 9 May 2001 19:13:22 -0700
From: Ofir Arkin <ofir@sys-security.com>
To: nmap-hackers@insecure.org
Subject: Fingerprinting Linux Kernel 2.4.x based machines using ICMP

While playing with Linux Kernel 2.4.2, I have encounter a rather simple
operating system fingerprinting method using the ICMP protocol targeting
machines based on Linux Kernel 2.4.

In the next example 192.168.1.1 is a Linux machine running Kernel 2.2.14,
192.168.1.10 is a Linux machine running Kernel 2.4.2. We are using the
'ping' utility to generate ICMP Echo requests:


17:23:03.623486 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
64, id 68)
			 4500 0054 0044 0000 4001 f709 c0a8 0101
			 c0a8 010a 0800 0600 9808 0000 c734 d93c
			 c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637
17:23:03.623779 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
(ttl 255, id 0)
			 4500 0054 0000 4000 ff01 f84c c0a8 010a
			 c0a8 0101 0000 0e00 9808 0000 c734 d93c
			 c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637
17:23:04.622911 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
64, id 69)
			 4500 0054 0045 0000 4001 f708 c0a8 0101
			 c0a8 010a 0800 ef01 9808 0100 c834 d93c
			 da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637
17:23:04.623200 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
(ttl 255, id 0)
			 4500 0054 0000 4000 ff01 f84c c0a8 010a
			 c0a8 0101 0000 f701 9808 0100 c834 d93c
			 da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
			 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			 3435 3637

The IP ID with the ICMP Echo replies is 0 and not changing (the DF Bit is
set as well).


I have tried this with ICMP Timestamp mechanism as well. This time I have
used the 'sing' utility to generate the requests (this is why the IP ID in
the requests equal to 13170):

17:22:10.119231 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
(ttl 255, id 13170)
			 4500 0028 3372 0000 ff01 0507 c0a8 0101
			 c0a8 010a 0d00 041c 9508 0000 0315 56c6
			 0000 0000 0000 0000
17:22:10.119431 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
(DF) (ttl 255, id 0)
			 4500 0028 0000 4000 ff01 f878 c0a8 010a
			 c0a8 0101 0e00 42b5 9508 0000 0315 56c6
			 03b1 5c82 03b1 5c82 0000 0000 0000
17:22:11.112908 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
(ttl 255, id 13170)
			 4500 0028 3372 0000 ff01 0507 c0a8 0101
			 c0a8 010a 0d00 ff39 9508 0100 0315 5aa8
			 0000 0000 0000 0000
17:22:11.113151 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
(DF) (ttl 255, id 0)
			 4500 0028 0000 4000 ff01 f878 c0a8 010a
			 c0a8 0101 0e00 35fb 9508 0100 0315 5aa8
			 03b1 606e 03b1 606e d039 0100 d039


Again the IP ID with the replies is 0 (and the DF Bit is set).


Even when sending ICMP Echo requests from the machine running Linux Kernel
2.4.2 the IP ID is fixed and equal to 0. The DF Bit is also set:

05/08/01-15:09:59.573546 172.18.2.201 -> 172.18.2.200
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:8741   Seq:0  ECHO
17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:b...........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/08/01-15:09:59.573546 172.18.2.200 -> 172.18.2.201
ICMP TTL:128 TOS:0x0 ID:12812 IpLen:20 DgmLen:84
Type:0  Code:0  ID:8741  Seq:0  ECHO REPLY
17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:b...........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/08/01-15:10:00.573546 172.18.2.201 -> 172.18.2.200
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:8741   Seq:256  ECHO
18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/08/01-15:10:00.573546 172.18.2.200 -> 172.18.2.201
ICMP TTL:128 TOS:0x0 ID:12813 IpLen:20 DgmLen:84
Type:0  Code:0  ID:8741  Seq:256  ECHO REPLY
18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


I have downloaded and compiled Kernel 2.4.4 (the latest in the 2.4 series),
and observed the same behavior.

We can use this operating system fingerprinting method with LINUX Kernel 2.4
passively and actively.


This information was sent to Bugtraq as well.


Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.
Prev by Date: FVH DSL, and more...
Next by Date: Fairview Heights::Presentations, etc
Prev by thread: Re: Fairview Heights::Presentations, etc
Next by thread: FVH DSL, and more...
Index(es):
- Date
- Thread