Bugtraq mailing list archives

Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more)

From: Frank Knobbe <FKnobbe () KNOBBEITS COM>
Date: Fri, 1 Sep 2000 13:14:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----Original Message-----
From: Ofir Arkin [mailto:ofir () ITCON-LTD COM]
Sent: Thursday, August 31, 2000 6:40 AM

[...]
- Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4 
- all using 32
  as their IP TTL field value with ICMP Echo requests.
[...]
What if we do not get a match?
Than we know that some one changed the default TTL field value in
his machine.  

Please note that some networking devices might have values 
similar to those
presented here.

Some might say, that setting the default TTL value with ICMP could
be altered. True. Just do it!



Windows NT uses 128 as the default. This can (and should) be changed
with following Registry key entry:

HKEY_LOCAL_MACHINE\System
        \CurrentControlSet
                \Services
                        \Tcpip
                                \Parameters 
DefaultTTL     REG_DWORD     1–255 seconds

Default:        Windows NT 4.0  128
Windows NT 3.51 and earlier     32
Specifies the default Time To Live (TTL) value set in the header of
outgoing IP packets. The TTL determines the maximum amount of time an
IP packet can live on the network without reaching its destination.
It limits the number of routers an IP packet can pass through before
being discarded.

Note

Windows NT does not add this value to the Registry. You can add it by
editing the Registry or by using a program that edits the Registry.



There are many more important and interesting IP settings. For more
information, consult the file REGENTRY.HLP that comes with the
Windows NT Resource Kit.


Regards,
Frank


BTW: My NT machines appear to be Unix ;)

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOa/x+0RKym0LjhFcEQI5ZgCeKaEywGxoP4t3EQR0ZPklEJUd+qYAoPGC
bmZiZqR4ifirSI7VLkEKMGVR
=/BeW
-----END PGP SIGNATURE-----

Current thread:

Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more) Stéphane OMNES (Sep 01)
- <Possible follow-ups>
- Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more) Frank Knobbe (Sep 02)