[17094] in bugtraq
ICMP Timestap with code!=0 - LINUX 2.2.x and 2.4.x changed pattern
daemon@ATHENA.MIT.EDU (Ofir Arkin)
Sun Oct 8 15:23:30 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1255"
Content-Transfer-Encoding: 7bit
Message-ID: <GDEIJDIGIGIFHEIILCALIECGCGAA.ofir@itcon-ltd.com>
Date: Sun, 8 Oct 2000 10:49:40 +0200
Reply-To: Ofir Arkin <ofir@ITCON-LTD.COM>
From: Ofir Arkin <ofir@ITCON-LTD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
With previous post to bugtraq I have already outlined the fact that
Microsoft Windows 98/98 SE/ME, and the Microsoft Windows 2000 Family
that have answered an ICMP Timestamp requests with the code field
set to zero, do not produce any reply back when they are queried with
ICMP Timestamp request with Code field set to a value different than
zero.
When I have tried this on LINUX machines based on Kernel 2.2.x & 2.4.x
I have encountered a different pattern of behavior:
20:10:18.138486 ppp0 > x.x.x.x > y.y.y.y: icmp: time stamp request (ttl 255,
id 13170)
4500 0028 3372 0000 ff01 606c xxxx xxxx
yyyy yyyy 0d26 2e0c 7c04 0000 03af 451a
0000 0000 0000 0000
20:10:18.354222 ppp0 < y.y.y.y > x.x.x.x: icmp: time stamp reply (ttl 243,
id 15717)
4500 0028 3d65 0000 f301 6279 yyyy yyyy
xxxx xxxx 0e00 888b 7c04 0000 03af 451a
0422 4e31 0422 4e31
Linux zero out the code field on its ICMP Timestamp reply.
This is an inconsistency with LINUX behavior, since with ICMP Echo request
sent with the code field set to a value different then zero LINUX is
echoing the value back.
Ofir Arkin [ofir@itcon-ltd.com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com
Personal Web page: http://www.sys-security.com
"Opinions expressed do not necessarily
represent the views of my employer."
