Fingerprinting Linux Kernel 2.4.x based machines using ICMP (and IPID)

From: Ofir Arkin (ofir@sys-security.com)
Date: Wed May 16 2001 - 07:07:15 CEST

  • Next message: Tobias J. Kreidl: "Re: Solaris /usr/bin/mailx exploit (SPARC)"

    I am trying to post this again.

    -----Original Message-----
    From: Ofir Arkin [mailto:ofir@sys-security.com]
    Sent: Wednesday, May 09, 2001 7:12 PM
    To: Bugtraq List
    Subject: Fingerprinting Linux Kernel 2.4.x based machines using ICMP

    While playing with Linux Kernel 2.4.2, I have encounter a rather simple
    operating system fingerprinting method using the ICMP protocol targeting
    machines based on Linux Kernel 2.4.

    In the next example 192.168.1.1 is a Linux machine running Kernel 2.2.14,
    192.168.1.10 is a Linux machine running Kernel 2.4.2. We are using the
    'ping' utility to generate ICMP Echo requests:

    17:23:03.623486 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
    64, id 68)
                             4500 0054 0044 0000 4001 f709 c0a8 0101
                             c0a8 010a 0800 0600 9808 0000 c734 d93c
                             c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
                             1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
                             2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
                             3435 3637
    17:23:03.623779 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
    (ttl 255, id 0)
                             4500 0054 0000 4000 ff01 f84c c0a8 010a
                             c0a8 0101 0000 0e00 9808 0000 c734 d93c
                             c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
                             1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
                             2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
                             3435 3637
    17:23:04.622911 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
    64, id 69)
                             4500 0054 0045 0000 4001 f708 c0a8 0101
                             c0a8 010a 0800 ef01 9808 0100 c834 d93c
                             da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
                             1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
                             2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
                             3435 3637
    17:23:04.623200 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
    (ttl 255, id 0)
                             4500 0054 0000 4000 ff01 f84c c0a8 010a
                             c0a8 0101 0000 f701 9808 0100 c834 d93c
                             da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
                             1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
                             2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
                             3435 3637

    The IP ID with the ICMP Echo replies is 0 and not changing (the DF Bit is
    set as well).

    I have tried this with ICMP Timestamp mechanism as well. This time I have
    used the 'sing' utility to generate the requests (this is why the IP ID in
    the requests equal to 13170):

    17:22:10.119231 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
    (ttl 255, id 13170)
                             4500 0028 3372 0000 ff01 0507 c0a8 0101
                             c0a8 010a 0d00 041c 9508 0000 0315 56c6
                             0000 0000 0000 0000
    17:22:10.119431 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
    (DF) (ttl 255, id 0)
                             4500 0028 0000 4000 ff01 f878 c0a8 010a
                             c0a8 0101 0e00 42b5 9508 0000 0315 56c6
                             03b1 5c82 03b1 5c82 0000 0000 0000
    17:22:11.112908 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
    (ttl 255, id 13170)
                             4500 0028 3372 0000 ff01 0507 c0a8 0101
                             c0a8 010a 0d00 ff39 9508 0100 0315 5aa8
                             0000 0000 0000 0000
    17:22:11.113151 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
    (DF) (ttl 255, id 0)
                             4500 0028 0000 4000 ff01 f878 c0a8 010a
                             c0a8 0101 0e00 35fb 9508 0100 0315 5aa8
                             03b1 606e 03b1 606e d039 0100 d039

    Again the IP ID with the replies is 0 (and the DF Bit is set).

    Even when sending ICMP Echo requests from the machine running Linux Kernel
    2.4.2 the IP ID is fixed and equal to 0. The DF Bit is also set:

    05/08/01-15:09:59.573546 172.18.2.201 -> 172.18.2.200
    ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
    Type:8 Code:0 ID:8741 Seq:0 ECHO
    17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F ...:b...........
    10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
    20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
    30 31 32 33 34 35 36 37 01234567

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    05/08/01-15:09:59.573546 172.18.2.200 -> 172.18.2.201
    ICMP TTL:128 TOS:0x0 ID:12812 IpLen:20 DgmLen:84
    Type:0 Code:0 ID:8741 Seq:0 ECHO REPLY
    17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F ...:b...........
    10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
    20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
    30 31 32 33 34 35 36 37 01234567

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    05/08/01-15:10:00.573546 172.18.2.201 -> 172.18.2.200
    ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
    Type:8 Code:0 ID:8741 Seq:256 ECHO
    18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F ...:............
    10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
    20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
    30 31 32 33 34 35 36 37 01234567

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    05/08/01-15:10:00.573546 172.18.2.200 -> 172.18.2.201
    ICMP TTL:128 TOS:0x0 ID:12813 IpLen:20 DgmLen:84
    Type:0 Code:0 ID:8741 Seq:256 ECHO REPLY
    18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F ...:............
    10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
    20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./
    30 31 32 33 34 35 36 37 01234567

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    I have downloaded and compiled Kernel 2.4.4 (the latest in the 2.4 series),
    and observed the same behavior.

    We can use this operating system fingerprinting method with LINUX Kernel 2.4
    passively and actively.

    Ofir Arkin [ofir@sys-security.com]
    Founder
    The Sys-Security Group
    http://www.sys-security.com
    PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA



    This archive was generated by hypermail 2b29 : Wed May 16 2001 - 13:53:44 CEST