Bugtraq mailing list archives
OS fingerprinting method to distinguish between Windows boxes and the rest of the world
From: ofir () ITCON-LTD COM (Ofir Arkin)
Date: Sat, 24 Jun 2000 02:13:46 +0200
During my research on ICMP I have encountered a new OS fingerprinting method. When a wrong code is sent along with the correct type of ICMP ECHO Request message Microsoft Windows Boxes would act differently than other operating systems would on the ICMP ECHO Reply. I have queried my LINUX box (RH 6.2) with an ICMP ECHO Request changing the ICMP Code from 0 to 38. 10:06:02.329509 lo < localhost.localdomain > localhost.localdomain: icmp: echo request 4500 0020 3372 0000 fe01 0610 c0a8 0105 c0a8 0105 0826 675a 7402 0e20 0186 0cd7 10:06:02.329639 lo > localhost.localdomain > localhost.localdomain: icmp: echo reply 4500 0020 096d 0000 ff01 2f15 c0a8 0105 c0a8 0105 0026 6f5a 7402 0e20 0186 0cd7 As you can see from the tcpdump trace the reply would not change the code to 0, and leave it the way it was. If we examine what RFC 972 requires than LINUX do exactly what it tells. The sending side initializes the identifier (used to identify ECHO requests aimed at different destination hosts) and sequence number (if multiple ECHO requests are sent to the same destination host), adds some data (arbitrary) to the data field and sends the ICMP ECHO Request to the destination host. In the ICMP header the code equals zero. The recipient should only change the type to ECHO Reply and return the datagram to the sender. This also means that we trust another machine to behave correctly. LINUX changes the type field value to 0 and sends the reply. I have checked the behavior of my Microsoft Windows 2000 Professional box. I have sent the same ICMP ECHO Request message to the Microsoft Windows box: 10:03:33.860212 eth0 > localhost.localdomain > 192.168.1.1: icmp: echo request 4500 0020 3372 0000 fe01 0614 c0a8 0105 c0a8 0101 0826 d618 6102 f658 0183 c8e2 10:03:33.860689 eth0 < 192.168.1.1 > localhost.localdomain: icmp: echo reply 4500 0020 2010 0000 8001 9776 c0a8 0101 c0a8 0105 0000 de3e 6102 f658 0183 c8e2 0000 0000 0000 0000 0000 0000 0000 The Microsoft Windows 2000 Professional operating system changed the code value on the ICMP ECHO Reply to 0. I have tested this method with IBM AIX, SUN Solaris 2.6 & 2.7, OpenBSD, NetBSD, FreeBSD and they produced the same results as the LINUX box did. Microsoft Windows NT 4.0 Server SP 6a, Microsoft Windows 98 SE produced the same behavior as the Microsoft Windows 2000 Professional. We have a new method to differentiate between a Microsoft Windows box to the rest of the world. Best Regards ---------------------------------------------------------------------------- ---------------------- Ofir Arkin Senior Security Consultant ITCon, Israel email : ofir () itcon-ltd com ---------------------------------------------------------------------------- ----------------------
Current thread:
- OS fingerprinting method to distinguish between Windows boxes and the rest of the world Ofir Arkin (Jun 23)