[16520] in bugtraq
Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000
daemon@ATHENA.MIT.EDU (Frank Knobbe)
Sat Sep 2 14:17:05 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1255"
Message-Id: <015F790A1F66D2118277006097D2068345C73E@SERVER1>
Date: Fri, 1 Sep 2000 13:14:19 -0500
Reply-To: Frank Knobbe <FKnobbe@KNOBBEITS.COM>
From: Frank Knobbe <FKnobbe@KNOBBEITS.COM>
X-To: Ofir Arkin <ofir@ITCON-LTD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Ofir Arkin [mailto:ofir@ITCON-LTD.COM]
> Sent: Thursday, August 31, 2000 6:40 AM
>
> [...]
> - Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4
> - all using 32
> as their IP TTL field value with ICMP Echo requests.
> [...]
> What if we do not get a match?
> Than we know that some one changed the default TTL field value in
> his machine.
>
> Please note that some networking devices might have values
> similar to those
> presented here.
>
> Some might say, that setting the default TTL value with ICMP could
> be altered. True. Just do it!
Windows NT uses 128 as the default. This can (and should) be changed
with following Registry key entry:
HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Services
\Tcpip
\Parameters
DefaultTTL REG_DWORD 1–255 seconds
Default: Windows NT 4.0 128
Windows NT 3.51 and earlier 32
Specifies the default Time To Live (TTL) value set in the header of
outgoing IP packets. The TTL determines the maximum amount of time an
IP packet can live on the network without reaching its destination.
It limits the number of routers an IP packet can pass through before
being discarded.
Note
Windows NT does not add this value to the Registry. You can add it by
editing the Registry or by using a program that edits the Registry.
There are many more important and interesting IP settings. For more
information, consult the file REGENTRY.HLP that comes with the
Windows NT Resource Kit.
Regards,
Frank
BTW: My NT machines appear to be Unix ;)
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOa/x+0RKym0LjhFcEQI5ZgCeKaEywGxoP4t3EQR0ZPklEJUd+qYAoPGC
bmZiZqR4ifirSI7VLkEKMGVR
=/BeW
-----END PGP SIGNATURE-----
