Bugtraq mailing list archives
Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Sat, 5 Aug 2000 14:56:39 +0200
Subject: Identifying Microsoft Windows 98/98 SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests Author: Ofir Arkin [ofir () itcon-ltd com] Description: I have decided to map which operating systems would answer to an ICMP Timestamp Request that would have its code field not set to zero. Interesting results were produced. The Microsoft Windows 98/98 SE/ME, and the Microsoft Windows 2000 Professional/Server that have answered to ICMP Timestamp requests with the code filed set to zero, now did not produce any reply back. Using this information it is quite easy to group together certain Microsoft Windows operating systems using two datagrams of ICMP Timestamp request. The first one is a regular one; the Microsoft Windows machines that do not answer are Microsoft Windows 95 and Microsoft Windows NT 4.0 Workstation with SP 6a (and below). All other operating systems (that I have checked) answered the ICMP Time stamp request (UNIX and UNIX-like). The second stage is sending another datagram, this time with the Code field set to a value, which is not equal to zero. The operating systems that would not answer would include Windows 98/98 SE/ME/2000 Professional/ 2000 Server, which are the newer versions of Microsoft Windows operating systems. Other operating systems would still respond with a correct answer to the query. It is quite obvious that Microsoft have tried to change some of their newer operating systems fingerprinting in later TCP/IP implementations of their operating systems. For example, the default for answering an ICMP Timestamp request was changed from "no answer" to "answer", like UNIX and UNIX-like operating systems. But the Microsoft programmers / designers / architects / security engineers did not think about every thing apparently. Operating Systems checked: LINUX Kernel 2.4t2; LINUX Kernel 2.2.14; FreeBSD 4.0, 3.4; OpenBSD 2.7 & 2.6; Solaris 2.5.1, 2.6, 2.7 & 2.8; HP-UX 10.20; AIX 4.1; ULTRIX; Microsoft Windows 95 / 98 / 98SE / ME / NT 4 SP3, SP4, SP6a WRST & SERVER / 2000 Professional & Server. Ofir Arkin Senior Security Consultant ITcon, Israel. Personal Web page: http://www.sys-security.com
Current thread:
- Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests Ofir Arkin (Aug 07)