Bugtraq mailing list archives

Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests

From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Sat, 5 Aug 2000 14:56:39 +0200

Subject:
Identifying Microsoft Windows 98/98 SE/ME/2000 Using Wrong Codes with ICMP
Timestamp Requests

Author:
Ofir Arkin [ofir () itcon-ltd com]

Description:
I have decided to map which operating systems would answer to an ICMP
Timestamp Request that would have its code field not set to zero.

Interesting results were produced. The Microsoft Windows 98/98 SE/ME, and
the Microsoft Windows 2000 Professional/Server that have answered to ICMP
Timestamp requests with the code filed set to zero, now did not produce any
reply back.

Using this information it is quite easy to group together certain Microsoft
Windows operating systems using two datagrams of ICMP Timestamp request. The
first one is a regular one; the Microsoft Windows machines that do not
answer are Microsoft Windows 95 and Microsoft Windows NT 4.0 Workstation
with SP 6a (and below). All other operating systems (that I have checked)
answered the ICMP Time stamp request (UNIX and UNIX-like). The second stage
is sending another datagram, this time with the Code field set to a value,
which is not equal to zero. The operating systems that would not answer
would include Windows 98/98 SE/ME/2000 Professional/ 2000 Server, which are
the newer versions of Microsoft Windows operating systems. Other operating
systems would still respond with a correct answer to the query.

It is quite obvious that Microsoft have tried to change some of their newer
operating systems fingerprinting in later TCP/IP implementations of their
operating systems. For example, the default for answering an ICMP Timestamp
request was changed from "no answer" to "answer", like UNIX and UNIX-like
operating systems. But the Microsoft programmers / designers / architects /
security engineers did not think about every thing apparently.

Operating Systems checked:
LINUX Kernel 2.4t2; LINUX Kernel 2.2.14; FreeBSD 4.0, 3.4; OpenBSD 2.7 &
2.6; Solaris 2.5.1, 2.6, 2.7 & 2.8; HP-UX 10.20; AIX 4.1; ULTRIX; Microsoft
Windows 95 / 98 / 98SE / ME / NT 4 SP3, SP4, SP6a WRST & SERVER / 2000
Professional & Server.


Ofir Arkin
Senior Security Consultant
ITcon, Israel.

Personal Web page:
http://www.sys-security.com

Current thread:

Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests Ofir Arkin (Aug 07)