Bugtraq mailing list archives

Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more)

From: StÃ©phane OMNES <stephane.omnes () AQL FR>
Date: Fri, 1 Sep 2000 16:38:03 +0200

Ofir Arkin wrote (Thu, 31 Aug 2000 13:39:36 +0200) :

The IP TTL field value with ICMP has two separate values, one for ICMP

query

messages and one for ICMP query replies.
The TTL field value help us identify certain operating systems and

groups of

operating systems. It also provide us with the simplest means to add

another

check criteria when we are quering other host(s) or listening to

traffic

(sniffing).

A. IP TTL Field Value with ICMP Echo Replies
If we would look at the ICMP Query Replies IP TTL field value than we

see

some patterns :
- UNIX and UNIX-like operating systems use 255 as their IP TTL field

value

  with ICMP query replies.

 Compaq Tru64 5.0 is the exception, using 64 as its IP TTL field value

  with ICMP query replies.
- Microsoft Windows operating system machines are using the value of

128.

- Microsoft Windows 95 is the only Microsoft operating system to use

32 as

its IP TTL field value with ICMP query messages.

With the ICMP query replies we have two operating systems that are

clearly

distinguished from the other - Windows 95 and Compaq Tru64 5.0. Other
operating systems are grouped into the 255 group (UNIX and UNIX-like)

and

into the 128 group (Microsoft operating systems).

Operating Systems tested:
LINUX Kernel 2.2.x, Kernel 2.4t1-6; FreeBSD 4.1,4.0,3.4; OpenBSD

2.7,2.6;

NetBSD1.4.2; Sun Solaris 2.5.1,2.6,2.7,2.8; HP-UX 10.20, 11.0; AIX

4.1, 3.2;

Compaq Tru64 5.0; Irix 6.5.3,6.5.8; BSDI BSD/OS 4.0,3.1; Ultrix

4.2-4.5; OpenVMS 7.1-2;

Windows 95/98/98SE/ME; Windows NT 4 Workstation SP3, SP4, SP6a;

Windows NT 4

Server SP4; Windows 2000 Professional, Server, Advanced Server.


Not exactly. I tested some Linux distrib. and others OS. My results are
following :
        - RedHat 5.0 (kernel 2.0.32) : the IP TTL field with ICMP
Echo_reply message is : 64
        - RedHat 5.2 (kernel 2.0.36) : the IP TTL field with ICMP
Echo_reply message is : 64
        - RedHat 6.1 (kernel 2.2.12-20) : the IP TTL field with ICMP
Echo_reply message is : 255
        - Mandrake 7.0 (kernel 2.2.14-15) : the IP TTL field with ICMP
Echo_reply message is : 255
        - FreeBSD 4.0 : the IP TTL field with ICMP Echo_reply message is
: 255
        - Windows95 : the IP TTL field with ICMP Echo_reply message is :
32
        - Windows NT4 Workstation (SP4, SP5) : IP TTL field with ICMP
Echo_reply message is : 128
        - Windows NT4 Server (SP4, SP5)  : IP TTL field with ICMP
Echo_reply message is : 128
        - Windows NT4 Primary Domain Controller (SP4) : IP TTL field
with ICMP Echo_reply message is : 128
        - Windows 2000 Professional : IP TTL field with ICMP Echo_reply
message is : 128
So, some Linux are also clearly distinguished from the others UNIX and
UNIX-like...

B. IP TTL Field Value with ICMP Echo Requests
One would expect that both IP TTL field values would be the same ...
This is not true in the case of some operating systems.

- LINUX Kernel 2.2.x & 2.4.x use 64 as their IP TTL Field Value with

ICMP Echo Requests.

It's also true for some LINUX Kernel 2.0.x. I tested the following OS :
        - RedHat 5.0 (kernel 2.0.32) : the IP TTL field with ICMP
Echo_request message is : 64
        - RedHat 5.2 (kernel 2.0.36) : the IP TTL field with ICMP
Echo_request message is : 64
        - RedHat 6.1 (kernel 2.2.12-20) : the IP TTL field with ICMP
Echo_request message is : 64
        - Mandrake 7.0( kernel 2.2.14-15) : the IP TTL field with ICMP
Echo_request message is : 64

- FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; OpenBSD

2.6, 2.7,

  NetBSD and HP UX 10.20 are using 255 as their IP TTL field value

with ICMP Echo

  requests. With the OSs listed above the same IP TTL Field value with

any

  ICMP message is given.


I confirm for FreeBSD 4.0...

- Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4 - all

using 32

  as their IP TTL field value with ICMP Echo requests.


I confirm for Windows 95/ NT4 WorkStation SP4 / NT4 Server SP4.
I also tested successfuly Windows NT4 WorkStation SP5 / NT4 Server SP5 /
NT4 Primary Domain Controller SP4.

- Microsoft windows 2000 is using 128 as its IP TTL Field Value with

ICMP Echo

  requests.


Right.

We can distinguish between LINUX, Microsoft Windows 2000, The Other
Microsoft OSs (32 group), and the 255 group.


And we can recognize some Linux Distrib. (TTL 64 group)...

Sincerely,

Stephane Omnes
AQL - Groupe SILICOMP SA
Please reply to : infos () aql fr

Attachment: stephane.omnes.vcf
Description: Card for Stéphane OMNES

Current thread:

Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more) StÃ©phane OMNES (Sep 01)
- <Possible follow-ups>
- Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more) Frank Knobbe (Sep 02)