[16484] in bugtraq
Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?St=E9phane?= OMNES)
Fri Sep 1 15:15:19 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------ED68ACBC5EC56F655668ED90"
Message-Id: <39AFBF4B.43563AAE@aql.fr>
Date: Fri, 1 Sep 2000 16:38:03 +0200
Reply-To: =?iso-8859-1?Q?St=E9phane?= OMNES <stephane.omnes@AQL.FR>
From: =?iso-8859-1?Q?St=E9phane?= OMNES <stephane.omnes@AQL.FR>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------ED68ACBC5EC56F655668ED90
Content-Type: multipart/alternative;
boundary="------------A6CAEE4895D3D14ABCCF6FC1"
--------------A6CAEE4895D3D14ABCCF6FC1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Ofir Arkin wrote (Thu, 31 Aug 2000 13:39:36 +0200) :
> The IP TTL field value with ICMP has two separate values, one for ICMP
query
> messages and one for ICMP query replies.
> The TTL field value help us identify certain operating systems and
groups of
> operating systems. It also provide us with the simplest means to add
another
> check criteria when we are quering other host(s) or listening to
traffic
> (sniffing).
> A. IP TTL Field Value with ICMP Echo Replies
> If we would look at the ICMP Query Replies IP TTL field value than we
see
> some patterns :
> - UNIX and UNIX-like operating systems use 255 as their IP TTL field
value
> with ICMP query replies.
> Compaq Tru64 5.0 is the exception, using 64 as its IP TTL field value
> with ICMP query replies.
> - Microsoft Windows operating system machines are using the value of
128.
> - Microsoft Windows 95 is the only Microsoft operating system to use
32 as
> its IP TTL field value with ICMP query messages.
> With the ICMP query replies we have two operating systems that are
clearly
> distinguished from the other - Windows 95 and Compaq Tru64 5.0. Other
> operating systems are grouped into the 255 group (UNIX and UNIX-like)
and
> into the 128 group (Microsoft operating systems).
> Operating Systems tested:
> LINUX Kernel 2.2.x, Kernel 2.4t1-6; FreeBSD 4.1,4.0,3.4; OpenBSD
2.7,2.6;
> NetBSD1.4.2; Sun Solaris 2.5.1,2.6,2.7,2.8; HP-UX 10.20, 11.0; AIX
4.1, 3.2;
> Compaq Tru64 5.0; Irix 6.5.3,6.5.8; BSDI BSD/OS 4.0,3.1; Ultrix
4.2-4.5; OpenVMS 7.1-2;
> Windows 95/98/98SE/ME; Windows NT 4 Workstation SP3, SP4, SP6a;
Windows NT 4
> Server SP4; Windows 2000 Professional, Server, Advanced Server.
Not exactly. I tested some Linux distrib. and others OS. My results are
following :
- RedHat 5.0 (kernel 2.0.32) : the IP TTL field with ICMP
Echo_reply message is : 64
- RedHat 5.2 (kernel 2.0.36) : the IP TTL field with ICMP
Echo_reply message is : 64
- RedHat 6.1 (kernel 2.2.12-20) : the IP TTL field with ICMP
Echo_reply message is : 255
- Mandrake 7.0 (kernel 2.2.14-15) : the IP TTL field with ICMP
Echo_reply message is : 255
- FreeBSD 4.0 : the IP TTL field with ICMP Echo_reply message is
: 255
- Windows95 : the IP TTL field with ICMP Echo_reply message is :
32
- Windows NT4 Workstation (SP4, SP5) : IP TTL field with ICMP
Echo_reply message is : 128
- Windows NT4 Server (SP4, SP5) : IP TTL field with ICMP
Echo_reply message is : 128
- Windows NT4 Primary Domain Controller (SP4) : IP TTL field
with ICMP Echo_reply message is : 128
- Windows 2000 Professional : IP TTL field with ICMP Echo_reply
message is : 128
So, some Linux are also clearly distinguished from the others UNIX and
UNIX-like...
> B. IP TTL Field Value with ICMP Echo Requests
> One would expect that both IP TTL field values would be the same ...
> This is not true in the case of some operating systems.
> - LINUX Kernel 2.2.x & 2.4.x use 64 as their IP TTL Field Value with
ICMP Echo Requests.
It's also true for some LINUX Kernel 2.0.x. I tested the following OS :
- RedHat 5.0 (kernel 2.0.32) : the IP TTL field with ICMP
Echo_request message is : 64
- RedHat 5.2 (kernel 2.0.36) : the IP TTL field with ICMP
Echo_request message is : 64
- RedHat 6.1 (kernel 2.2.12-20) : the IP TTL field with ICMP
Echo_request message is : 64
- Mandrake 7.0( kernel 2.2.14-15) : the IP TTL field with ICMP
Echo_request message is : 64
> - FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; OpenBSD
2.6, 2.7,
> NetBSD and HP UX 10.20 are using 255 as their IP TTL field value
with ICMP Echo
> requests. With the OSs listed above the same IP TTL Field value with
any
> ICMP message is given.
I confirm for FreeBSD 4.0...
> - Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4 - all
using 32
> as their IP TTL field value with ICMP Echo requests.
I confirm for Windows 95/ NT4 WorkStation SP4 / NT4 Server SP4.
I also tested successfuly Windows NT4 WorkStation SP5 / NT4 Server SP5 /
NT4 Primary Domain Controller SP4.
> - Microsoft windows 2000 is using 128 as its IP TTL Field Value with
ICMP Echo
> requests.
Right.
> We can distinguish between LINUX, Microsoft Windows 2000, The Other
> Microsoft OSs (32 group), and the 255 group.
And we can recognize some Linux Distrib. (TTL 64 group)...
Sincerely,
Stephane Omnes
AQL - Groupe SILICOMP SA
Please reply to : infos@aql.fr
--------------A6CAEE4895D3D14ABCCF6FC1
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<body text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#800080" alink="#FF00FF">
Ofir Arkin wrote (Thu, 31 Aug 2000 13:39:36 +0200) :
<p>> The IP TTL field value with ICMP has two separate values, one for
ICMP query
<br>> messages and one for ICMP query replies.
<br>> The TTL field value help us identify certain operating systems and
groups of
<br>> operating systems. It also provide us with the simplest means to
add another
<br>> check criteria when we are quering other host(s) or listening to
traffic
<br>> (sniffing).
<p>> A. IP TTL Field Value with ICMP Echo Replies
<br>> If we would look at the ICMP Query Replies IP TTL field value than
we see
<br>> some patterns :
<br>> - UNIX and UNIX-like operating systems use 255 as their IP TTL field
value
<br>> with ICMP query replies.
<p>> Compaq Tru64 5.0 is the exception, using 64 as its IP TTL field
value
<br>> with ICMP query replies.
<br>> - Microsoft Windows operating system machines are using the value
of 128.
<br>> - Microsoft Windows 95 is the only Microsoft operating system to
use 32 as
<br>> its IP TTL field value with ICMP query messages.
<p>> With the ICMP query replies we have two operating systems that are
clearly
<br>> distinguished from the other - Windows 95 and Compaq Tru64 5.0. Other
<br>> operating systems are grouped into the 255 group (UNIX and UNIX-like)
and
<br>> into the 128 group (Microsoft operating systems).
<p>> Operating Systems tested:
<br>> LINUX Kernel 2.2.x, Kernel 2.4t1-6; FreeBSD 4.1,4.0,3.4; OpenBSD
2.7,2.6;
<br>> NetBSD1.4.2; Sun Solaris 2.5.1,2.6,2.7,2.8; HP-UX 10.20, 11.0; AIX
4.1, 3.2;
<br>> Compaq Tru64 5.0; Irix 6.5.3,6.5.8; BSDI BSD/OS 4.0,3.1; Ultrix 4.2-4.5;
OpenVMS 7.1-2;
<br>> Windows 95/98/98SE/ME; Windows NT 4 Workstation SP3, SP4, SP6a; Windows
NT 4
<br>> Server SP4; Windows 2000 Professional, Server, Advanced Server.
<p>Not exactly. I tested some Linux distrib. and others OS. My results
are following :
<br> - RedHat 5.0 (kernel 2.0.32)
: the IP TTL field with ICMP Echo_reply message is : <b>64</b>
<br> - RedHat 5.2 (kernel 2.0.36)
: the IP TTL field with ICMP Echo_reply message is : <b>64</b>
<br> - RedHat 6.1 (kernel 2.2.12-20)
: the IP TTL field with ICMP Echo_reply message is : 255
<br> - Mandrake 7.0 (kernel 2.2.14-15)
: the IP TTL field with ICMP Echo_reply message is : 255
<br> - FreeBSD 4.0 : the IP TTL
field with ICMP Echo_reply message is : 255
<br> - Windows95 : the IP TTL
field with ICMP Echo_reply message is : 32
<br> - Windows NT4 Workstation
(SP4, SP5) : IP TTL field with ICMP Echo_reply message is : 128
<br> - Windows NT4 Server (SP4,
SP5) : IP TTL field with ICMP Echo_reply message is : 128
<br> - Windows NT4 Primary Domain
Controller (SP4) : IP TTL field with ICMP Echo_reply message is : 128
<br> - Windows 2000 Professional
: IP TTL field with ICMP Echo_reply message is : 128
<br>So, some Linux are also clearly distinguished from the others UNIX
and UNIX-like...
<br>
<p>> B. IP TTL Field Value with ICMP Echo Requests
<br>> One would expect that both IP TTL field values would be the same
...
<br>> This is not true in the case of some operating systems.
<p>> - LINUX Kernel 2.2.x & 2.4.x use 64 as their IP TTL Field Value
with ICMP Echo Requests.
<p>It's also true for some LINUX Kernel 2.0.x. I tested the following OS
:
<br> - RedHat 5.0 (kernel 2.0.32)
: the IP TTL field with ICMP Echo_request message is : 64
<br> - RedHat 5.2 (kernel 2.0.36)
: the IP TTL field with ICMP Echo_request message is : 64
<br> - RedHat 6.1 (kernel 2.2.12-20)
: the IP TTL field with ICMP Echo_request message is : 64
<br> - Mandrake 7.0( kernel 2.2.14-15)
: the IP TTL field with ICMP Echo_request message is : 64
<p>> - FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; OpenBSD
2.6, 2.7,
<br>> NetBSD and HP UX 10.20 are using 255 as their IP TTL
field value with ICMP Echo
<br>> requests. With the OSs listed above the same IP TTL Field
value with any
<br>> ICMP message is given.
<p>I confirm for FreeBSD 4.0...
<br>
<p>> - Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4 - all
using 32
<br>> as their IP TTL field value with ICMP Echo requests.
<p>I confirm for Windows 95/ NT4 WorkStation SP4 / NT4 Server SP4.
<br>I also tested successfuly Windows NT4 WorkStation SP5 / NT4 Server
SP5 / NT4 Primary Domain Controller SP4.
<br>
<p>> - Microsoft windows 2000 is using 128 as its IP TTL Field Value with
ICMP Echo
<br>> requests.
<p>Right.
<p>> We can distinguish between LINUX, Microsoft Windows 2000, The Other
<br>> Microsoft OSs (32 group), and the 255 group.
<p>And we can recognize some Linux Distrib. (TTL 64 group)...
<p>Sincerely,
<p>Stephane Omnes
<br>AQL - Groupe SILICOMP SA
<br>Please reply to : infos@aql.fr
<br>
</body>
</html>
--------------A6CAEE4895D3D14ABCCF6FC1--
--------------ED68ACBC5EC56F655668ED90
Content-Type: text/x-vcard; charset=us-ascii;
name="stephane.omnes.vcf"
Content-Description: Card for Stiphane OMNES
Content-Disposition: attachment;
filename="stephane.omnes.vcf"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by aql.fr id QAA31883
begin:vcard=20
n:OMNES;St=E9phane
tel;fax:02 99 63 70 40
tel;home:02 99 41 37 42
tel;work:02 99 12 50 00
x-mozilla-html:FALSE
url:http://stephane.omnes.citeweb.net
org:AQL - Groupe SILICOMP SA;Equipe SSI
version:2.1
email;internet:stephane.omnes@aql.fr
title:Ing=E9nieur stagiaire
adr;quoted-printable:;;Rue de la Ch=3DE2taigneraie=3D0D=3D0ABP 127;CESSON=
-SEVIGNE CEDEX;;35513;FRANCE
fn:St=E9phane OMNES
end:vcard
--------------ED68ACBC5EC56F655668ED90--
