[20587] in bugtraq
Re: Fun with IP Identification Field Values (Identifying Older MS
daemon@ATHENA.MIT.EDU (Aaron Campbell)
Fri May 11 03:45:16 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSO.4.21.0105071508200.18029-100000@naughty.monkey.org>
Date: Mon, 7 May 2001 16:01:26 -0400
Reply-To: Aaron Campbell <aaron@MONKEY.ORG>
From: Aaron Campbell <aaron@MONKEY.ORG>
X-To: Ofir Arkin <ofir@SYS-SECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <IKELJIEDLEAEJHJOBNEKAEMBDEAA.ofir@sys-security.com>
On Sat, 5 May 2001, Ofir Arkin wrote:
> With the implementation in many operating systems, the Kernel is increasing
> the IP ID field value by 1, from one packet to the next.
There is something much more interesting about non-random incrementing IP
ID numbers: you can use such operating systems to execute spoofed TCP port
scans. I have explained this technique (originally described on Bugtraq
over 2 years ago, see the below URL) to security expert friends of mine
who weren't aware of it at all.
Imagine three hosts:
Host A - Attacker.
Host B - Idle machine, OS that increments IP IDs by fixed amount each pkt.
Host C - Victim.
Suppose Host A would like to know if port 22 is listening on Host C.
Host A communicates initially with Host B to determine Host B's current IP
ID number and takes note of it. Host A sends a TCP SYN packet to port 22
of Host C with the src address field spoofed as Host B. If the port is
open, Host C sends a SYN/ACK packet to Host B in response. If the port is
closed, an RST is sent back instead. In the case of the open port, Host B
would respond to the SYN/ACK with an RST. In the case of the closed port,
Host B would ignore the RST and perform no action.
Once this is done, Host A communicates once again with Host B to determine
the current IP ID and compares it with the saved one from before. If port
22 was open on Host C, Host B responded with an RST, increasing its IP ID
by one. If it was closed, Host B responded with nothing and the IP ID did
not change. Therefore, in the case where "fixed amount" = 1, the IP ID has
increased by 2 if the port was open or 1 if it was closed.
I actually wrote a port scanner a long time ago to implement this method,
which seemed to work on my home network (using a Win95 box as a rogue
host) but I have long since lost the sources.
References:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D11581
---
Aaron Campbell (aaron@monkey.org || aaron@openbsd.org)
http://www.monkey.org/~aaron
