[20586] in bugtraq
Re: Fun with IP Identification Field Values (Identifying Older MS
daemon@ATHENA.MIT.EDU (marvin@NSS.NU)
Fri May 11 03:11:08 2001
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <01050809465900.00554@marvin>
Date: Tue, 8 May 2001 09:46:59 +0200
Reply-To: marvin@NSS.NU
From: marvin@NSS.NU
X-To: Ofir Arkin <ofir@SYS-SECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <IKELJIEDLEAEJHJOBNEKAEMBDEAA.ofir@sys-security.com>
On Sun, 06 May 2001, Ofir Arkin wrote:
> The first ICMP Echo request sent from the Microsoft NT 4 based machine was
> sent with IP ID of 28416. The second ICMP Echo request was sent with IP ID
> value of 28672. Simple calculation will show a gap of 256 between the IP ID
> field values.
And some simple thinking will show that this is because they send out a
little endian value that is incremented.
> Looking at the replies the LINUX based machine produced, we see a gap of 1
> between one IP ID to the next.
And OpenBSD is random.
So is Linux if you use my patch (shameless plug) at http://synscan.nss.nu
(for 2.2.16 but should patch against 2.2.18, probably).
Predictable IP.ids are used in ipidscan (mine) and idlescan (someone elses),
both released in Dec 2000. ipidscan has a flag (-e) for using against windows.
Check out posts from antirez in Dec 1998 and posts on this topic in Dec 1999.
