[8857] in bugtraq
A few more fingerprinting techniques - time and netmask
daemon@ATHENA.MIT.EDU (David G. Andersen)
Mon Dec 28 19:30:48 1998
Date: Mon, 28 Dec 1998 16:16:40 -0700
Reply-To: "David G. Andersen" <danderse@CS.UTAH.EDU>
From: "David G. Andersen" <danderse@CS.UTAH.EDU>
To: BUGTRAQ@NETSPACE.ORG
The release of nmap reminded me about some work I did a while ago for
yet-more-information-gathering-programs, and I thought it might be
interesting from the perspective of fingerprinting. Various systems
handle ICMP queries in improper ways for time and netmask requests.
I discussed some of these in a bulletin I didn't bother publically
announcing (http://www.angio.net/consult/secadv/AA-1997-09-02.address-mask)
and they're somewhat relevant here.
(They're also kind of fun for figuring out if places are firewalled,
if links are point to point, if they run time synchronization, etc.)
System ICMP Time ICMP Mask
Windows no yes
FreeBSD yes no
Linux 1.x yes yes
Linux 2.x yes no
SunOS yes yes
Solaris yes yes
HPUX yes yes
Older IRIX yes yes
Newer IRIX yes no
MacOS - MacTCP ? no
MacOS - TCP/IP ? yes?
Apple Internet Server yes
On some operating systems, these aren't the best ways for
fingerprinting, because they are configurable - FreeBSD and Solaris
allow you to control the behavior, for instance, and I'm sure other
systems may as well.
I asked CERT to send some of the information on to vendors last year
(since responding to ICMP Mask requests when you're not a router is a
violation of the host requirements RFC), but it's not really a high
priority issue. ;-)
Demonstration programs for these (I've only tested them on FreeBSD)
can be found at:
http://www.angio.net/security/icmptime.c
http://www.angio.net/security/icmpmask.c
Sample output:
torrey# ./icmptime www.yahoo.com www.freebsd.org www.netbsd.org www.openbsd.org
www.yahoo.com : Mon Dec 28 16:13:06 1998
www.freebsd.org : Mon Dec 28 16:13:14 1998
www.netbsd.org : Mon Dec 28 16:13:05 1998
www.openbsd.org : Mon Dec 28 16:13:10 1998
(real time was 16:13:06)
torrey# ./icmpmask www.cisco.com www.bay.com www.nytimes.com
www.cisco.com : 0xFFFFFFE0
www.bay.com : 0xFFFFFFE0
www.nytimes.com : 0xFFFFFF00
-Dave
--
work: danderse@cs.utah.edu me: angio@pobox.com
University of Utah http://www.angio.net/
Computer Science - Flux Research Group