[20584] in bugtraq
Re: Fun with IP Identification Field Values (Identifying Older MS
daemon@ATHENA.MIT.EDU (Denis Ducamp)
Fri May 11 02:56:50 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-ID: <20010508042302.I17884@hsc.fr>
Date: Tue, 8 May 2001 04:23:02 +0200
Reply-To: Denis Ducamp <Denis.Ducamp@HSC.FR>
From: Denis Ducamp <Denis.Ducamp@HSC.FR>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <IKELJIEDLEAEJHJOBNEKAEMBDEAA.ofir@sys-security.com>; from
ofir@SYS-SECURITY.COM on Sat, May 05, 2001 at 11:21:55PM -0700
On Sat, May 05, 2001 at 11:21:55PM -0700, Ofir Arkin wrote:
> RFC 791 gives a description about the IP Identification field.
...
> The first ICMP Echo request sent from the Microsoft NT 4 based machine was
> sent with IP ID of 28416. The second ICMP Echo request was sent with IP ID
> value of 28672. Simple calculation will show a gap of 256 between the IP ID
> field values.
>
> Looking at the replies the LINUX based machine produced, we see a gap of 1
> between one IP ID to the next.
This is know since a long time that Microsoft switched (or forgot to) bytes
in its IPID, look at the -W option in hping2
<http://www.kyuzz.org/antirez/hping.html>
> How Can We Use This?
> We can use this information as another parameter for Active OS
> fingerprinting and for Passive OS fingerprinting.
And a lot of crackers do use it to actively/passively fingerprinting
systems.
Another important use is to count the number of packets sents by a remote
system : send a packet per second and you know how many... This permit a
much more important use : to scan remote systems by spoofing its address.
Again look at the hping documentation and the bugtraq archive to know how.
Now some systems protects against been used to spoof-scan :
. OpenBSD and IPFilter(*) : IPID are random
. Linux 2.4.x : IPID is null if the packet is small enought to be carried
unfragmented in which case the DF (don't fragment) bit is set
. others perhaps ?
(*) Only IPID generated by IPFilter are random which correspond to reset
packets and icmp unreachable messages, other packets are generated by
the underlying TCP/IP stack.
Regards,
Denis Ducamp.
--
Denis.Ducamp@hsc.fr --- Hervé Schauer Consultants --- http://www.hsc.fr/
snort, hping & dsniff en français : http://www.groar.org/~ducamp/#sec-trad
Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
Netiquette Guidelines .... http://www.pasteur.fr/infosci/RFC/18xx/1855
