I am trying to post this again.
-----Original Message-----
From: Ofir Arkin [mailto:ofir@sys-security.com]
Sent: Wednesday, May 09, 2001 7:12 PM
To: Bugtraq List
Subject: Fingerprinting Linux Kernel 2.4.x based machines using ICMP
While playing with Linux Kernel 2.4.2, I have encounter a rather simple
operating system fingerprinting method using the ICMP protocol targeting
machines based on Linux Kernel 2.4.
In the next example 192.168.1.1 is a Linux machine running Kernel 2.2.14,
192.168.1.10 is a Linux machine running Kernel 2.4.2. We are using the
'ping' utility to generate ICMP Echo requests:
17:23:03.623486 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
64, id 68)
4500 0054 0044 0000 4001 f709 c0a8 0101
c0a8 010a 0800 0600 9808 0000 c734 d93c
c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
3435 3637
17:23:03.623779 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
(ttl 255, id 0)
4500 0054 0000 4000 ff01 f84c c0a8 010a
c0a8 0101 0000 0e00 9808 0000 c734 d93c
c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
3435 3637
17:23:04.622911 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
64, id 69)
4500 0054 0045 0000 4001 f708 c0a8 0101
c0a8 010a 0800 ef01 9808 0100 c834 d93c
da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
3435 3637
17:23:04.623200 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
(ttl 255, id 0)
4500 0054 0000 4000 ff01 f84c c0a8 010a
c0a8 0101 0000 f701 9808 0100 c834 d93c
da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
3435 3637
The IP ID with the ICMP Echo replies is 0 and not changing (the DF Bit is
set as well).
I have tried this with ICMP Timestamp mechanism as well. This time I have
used the 'sing' utility to generate the requests (this is why the IP ID in
the requests equal to 13170):
17:22:10.119231 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
(ttl 255, id 13170)
4500 0028 3372 0000 ff01 0507 c0a8 0101
c0a8 010a 0d00 041c 9508 0000 0315 56c6
0000 0000 0000 0000
17:22:10.119431 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
(DF) (ttl 255, id 0)
4500 0028 0000 4000 ff01 f878 c0a8 010a
c0a8 0101 0e00 42b5 9508 0000 0315 56c6
03b1 5c82 03b1 5c82 0000 0000 0000
17:22:11.112908 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
(ttl 255, id 13170)
4500 0028 3372 0000 ff01 0507 c0a8 0101
c0a8 010a 0d00 ff39 9508 0100 0315 5aa8
0000 0000 0000 0000
17:22:11.113151 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
(DF) (ttl 255, id 0)
4500 0028 0000 4000 ff01 f878 c0a8 010a
c0a8 0101 0e00 35fb 9508 0100 0315 5aa8
03b1 606e 03b1 606e d039 0100 d039
Again the IP ID with the replies is 0 (and the DF Bit is set).
Even when sending ICMP Echo requests from the machine running Linux Kernel
2.4.2 the IP ID is fixed and equal to 0. The DF Bit is also set:
05/08/01-15:09:59.573546 172.18.2.201 -> 172.18.2.200
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:8741 Seq:0 ECHO
17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F ...:b...........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/08/01-15:09:59.573546 172.18.2.200 -> 172.18.2.201
ICMP TTL:128 TOS:0x0 ID:12812 IpLen:20 DgmLen:84
Type:0 Code:0 ID:8741 Seq:0 ECHO REPLY
17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F ...:b...........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/08/01-15:10:00.573546 172.18.2.201 -> 172.18.2.200
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:8741 Seq:256 ECHO
18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F ...:............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/08/01-15:10:00.573546 172.18.2.200 -> 172.18.2.201
ICMP TTL:128 TOS:0x0 ID:12813 IpLen:20 DgmLen:84
Type:0 Code:0 ID:8741 Seq:256 ECHO REPLY
18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F ...:............
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
I have downloaded and compiled Kernel 2.4.4 (the latest in the 2.4 series),
and observed the same behavior.
We can use this operating system fingerprinting method with LINUX Kernel 2.4
passively and actively.
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
This archive was generated by hypermail 2b29 : Wed May 16 2001 - 13:53:44 CEST