[16482] in bugtraq
Re: IP TTL Field Value with ICMP (Oops - Identifying Windows
daemon@ATHENA.MIT.EDU (Nelson Brito)
Fri Sep 1 14:57:57 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39AEFCF8.FCBF3B26@sekure.org>
Date: Thu, 31 Aug 2000 21:48:56 -0300
Reply-To: Nelson Brito <nelson@SEKURE.ORG>
From: Nelson Brito <nelson@SEKURE.ORG>
X-To: Ofir Arkin <ofir@ITCON-LTD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Ofir Arkin wrote:
>
> The IP TTL field value with ICMP has two separate values, one for ICMP query
> messages and one for ICMP query replies.
>
> The TTL field value help us identify certain operating systems and groups of
> operating systems. It also provide us with the simplest means to add another
> check criteria when we are quering other host(s) or listening to traffic
> (sniffing).
>
> A. IP TTL Field Value with ICMP Echo Replies
> If we would look at the ICMP Query Replies IP TTL field value than we see
> some
> patterns:
>
> - UNIX and UNIX-like operating systems use 255 as their IP TTL field value
> with ICMP query replies.
> - Compaq Tru64 5.0 is the exception, using 64 as its IP TTL field value
> with ICMP query replies.
> - Microsoft Windows operating system machines are using the value of 128.
> - Microsoft Windows 95 is the only Microsoft operating system to use 32 as
> its
> IP TTL field value with ICMP query messages.
This could be changed in REGISTRY:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DefaultTTL"=dword:000000ff
Note:
hex(ff) == dec(255)
It's a obscurity way... I know... =)
Sem mais,
--
Nelson Brito
open(S, shift || $ENV{'HOME'} . "/.signature") || die "open: $!\n";
foreach(<S>){ chop; split(//, $_); print reverse @_; print "\n"; }
close(S);
