Identifying OpenBSD 2.6-2.9 based machines using ICMP Port Unreachables

From: Ofir Arkin (ofir@sys-security.com)
Date: Wed Jun 27 2001 - 05:24:52 CEST

  • Next message: Simple Nomad: "Re: smbd remote file creation vulnerability"

    When a host generates an ICMP Error message it will echo some parts of the
    offending packet. The ICMP Error message will include the IP Header and at
    least 8 bytes of data from the offending packet.

    There are some fingerprinting methods which relay on the fact that some
    operating systems do not echo correctly the offending packet's data.

    It is known that some operating systems do not echo correctly the IP Total
    Length field value. The problem is that some operating systems echo a value
    which is 20 bytes bigger than the original value carried with the offending
    packet.

    During my research on X (to be published at the Black Hat Briefings 2001
    July 11-12) I have found a new fingerprinting method that involves the same
    field value. With this method the IP Total Length field value being echoed
    (with an ICMP Port Unreachable Error Message) is 20 bytes less than the
    original value. With the next example I have used hping2 to generate a UDP
    datagram with 80 bytes of data querying UDP port 50 on my OpenBSD 2.9 i386
    based machine:

    [root@godfather /root]# hping2 -2 -y -p 50 -d 80 172.18.2.145
    eth0 default routing interface selected (according to /proc)
    HPING 172.18.2.145 (eth0 172.18.2.145): udp mode set, 28 headers + 80 data
    bytes
    ICMP Port Unreachable from 172.18.2.145 (unknown host name)
    ICMP Port Unreachable from 172.18.2.145 (unknown host name)
    ICMP Port Unreachable from 172.18.2.145 (unknown host name)
    ...

    The tcpdump trace:

    09:52:33.989622 eth0 > 172.18.2.201.2999 > 172.18.2.145.re-mail-ck: udp 80
    (DF) (ttl 64, id 5207)
                             4500 006c 1457 4000 4011 c8ab ac12 02c9
                             ac12 0291 0bb7 0032 0058 c808 5858 5858
                             5858 5858 5858 5858 5858 5858 5858 5858
                             5858 5858 5858 5858 5858 5858 5858 5858
                             5858 5858 5858 5858 5858 5858 5858 5858
                             5858 5858 5858 5858 5858 5858 5858 5858
                             5858 5858 5858 5858 5858 5858
    09:52:33.989622 eth0 < 172.18.2.145 > 172.18.2.201: icmp: 172.18.2.145 udp
    port re-mail-ck unreachable Offending pkt: 172.18.2.201.2999 >
    172.18.2.145.re-mail-ck: udp 80 (DF) (ttl 64, id 5207) (ttl 255, id 41822)
                             4500 0038 a35e 0000 ff01 bae7 ac12 0291
                             ac12 02c9 0303 28b3 0000 0000 4500 0058
                             1457 4000 4011 c8bf ac12 02c9 ac12 0291
                             0bb7 0032 0058 c808

    The snort trace:

    06/20-09:53:07.989622 172.18.2.201:3033 -> 172.18.2.145:50
    UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:108 DF
    Len: 88
    58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
    58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
    58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
    58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
    58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX

    06/20-09:53:07.989622 172.18.2.145 -> 172.18.2.201
    ICMP TTL:255 TOS:0x0 ID:51307 IpLen:20 DgmLen:56
    Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
    ** ORIGINAL DATAGRAM DUMP:
    172.18.2.201:3033 -> 172.18.2.145:50
    UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:88
    Len: 88
    ** END OF DUMP
    00 00 00 00 45 00 00 58 2A 78 40 00 40 11 B2 9E ....E..X*x@.@...
    AC 12 02 C9 AC 12 02 91 0B D9 00 32 00 58 C7 E6 ...........2.X..

    Looking at the traces you can see that the datagram length reported by the
    ICMP Port Unreachable error message is 88 bytes, while the offending packet
    was 108 bytes long.

    The same behavior is produced with OpenBSD 2.6-2.8 as well (checked on the
    i386 platform).

    But OpenBSD 2.6-2.9 is not the only operating system that acts like this.
    Cross referencing this fingerprinting method with nmap’s fingerprinting
    database (www.insecure.org) reveals that Apollo Domain/OS SR10.4, NFR IDS
    Appliance, Extreme Networks Black Diamond Switch, Extreme Networks Gigabit
    Switch, Network Systems router NS6614 (NSC 6600 series), and Cabletron
    Systems SSR 8000 System Software version 3.1.B.16 does the same.

    Since all the other operating systems and networking devices listed above
    have other echoing integrity problems with their ICMP Port Unreachable error
    messages, while OpenBSD 2.6-2.9 correctly echoes all the other data fields
    carried with the ICMP Port Unreachable error message, it enables us to
    fingerprint OpenBSD 2.6-2.9 based systems initiating one crafted query
    receiving one ICMP Port Unreachable error message.

    Ofir Arkin [ofir@sys-security.com]
    Founder
    The Sys-Security Group
    http://www.sys-security.com
    PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

    This archive was generated by hypermail 2b29 : Wed Jun 27 2001 - 23:42:10 CEST