When a host generates an ICMP Error message it will echo some parts of the
offending packet. The ICMP Error message will include the IP Header and at
least 8 bytes of data from the offending packet.
There are some fingerprinting methods which relay on the fact that some
operating systems do not echo correctly the offending packet's data.
It is known that some operating systems do not echo correctly the IP Total
Length field value. The problem is that some operating systems echo a value
which is 20 bytes bigger than the original value carried with the offending
packet.
During my research on X (to be published at the Black Hat Briefings 2001
July 11-12) I have found a new fingerprinting method that involves the same
field value. With this method the IP Total Length field value being echoed
(with an ICMP Port Unreachable Error Message) is 20 bytes less than the
original value. With the next example I have used hping2 to generate a UDP
datagram with 80 bytes of data querying UDP port 50 on my OpenBSD 2.9 i386
based machine:
[root@godfather /root]# hping2 -2 -y -p 50 -d 80 172.18.2.145
eth0 default routing interface selected (according to /proc)
HPING 172.18.2.145 (eth0 172.18.2.145): udp mode set, 28 headers + 80 data
bytes
ICMP Port Unreachable from 172.18.2.145 (unknown host name)
ICMP Port Unreachable from 172.18.2.145 (unknown host name)
ICMP Port Unreachable from 172.18.2.145 (unknown host name)
...
The tcpdump trace:
09:52:33.989622 eth0 > 172.18.2.201.2999 > 172.18.2.145.re-mail-ck: udp 80
(DF) (ttl 64, id 5207)
4500 006c 1457 4000 4011 c8ab ac12 02c9
ac12 0291 0bb7 0032 0058 c808 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858
09:52:33.989622 eth0 < 172.18.2.145 > 172.18.2.201: icmp: 172.18.2.145 udp
port re-mail-ck unreachable Offending pkt: 172.18.2.201.2999 >
172.18.2.145.re-mail-ck: udp 80 (DF) (ttl 64, id 5207) (ttl 255, id 41822)
4500 0038 a35e 0000 ff01 bae7 ac12 0291
ac12 02c9 0303 28b3 0000 0000 4500 0058
1457 4000 4011 c8bf ac12 02c9 ac12 0291
0bb7 0032 0058 c808
The snort trace:
06/20-09:53:07.989622 172.18.2.201:3033 -> 172.18.2.145:50
UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:108 DF
Len: 88
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
06/20-09:53:07.989622 172.18.2.145 -> 172.18.2.201
ICMP TTL:255 TOS:0x0 ID:51307 IpLen:20 DgmLen:56
Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
172.18.2.201:3033 -> 172.18.2.145:50
UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:88
Len: 88
** END OF DUMP
00 00 00 00 45 00 00 58 2A 78 40 00 40 11 B2 9E ....E..X*x@.@...
AC 12 02 C9 AC 12 02 91 0B D9 00 32 00 58 C7 E6 ...........2.X..
Looking at the traces you can see that the datagram length reported by the
ICMP Port Unreachable error message is 88 bytes, while the offending packet
was 108 bytes long.
The same behavior is produced with OpenBSD 2.6-2.8 as well (checked on the
i386 platform).
But OpenBSD 2.6-2.9 is not the only operating system that acts like this.
Cross referencing this fingerprinting method with nmap’s fingerprinting
database (www.insecure.org) reveals that Apollo Domain/OS SR10.4, NFR IDS
Appliance, Extreme Networks Black Diamond Switch, Extreme Networks Gigabit
Switch, Network Systems router NS6614 (NSC 6600 series), and Cabletron
Systems SSR 8000 System Software version 3.1.B.16 does the same.
Since all the other operating systems and networking devices listed above
have other echoing integrity problems with their ICMP Port Unreachable error
messages, while OpenBSD 2.6-2.9 correctly echoes all the other data fields
carried with the ICMP Port Unreachable error message, it enables us to
fingerprint OpenBSD 2.6-2.9 based systems initiating one crafted query
receiving one ICMP Port Unreachable error message.
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
This archive was generated by hypermail 2b29 : Wed Jun 27 2001 - 23:42:10 CEST