Nmap Announce mailing list archives
Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000again and more)
From: Nelson Brito <nelson () sekure org>
Date: Fri, 01 Sep 2000 15:23:07 -0300
Ofir Arkin wrote:
The IP TTL field value with ICMP has two separate values, one for ICMP query messages and one for ICMP query replies. The TTL field value help us identify certain operating systems and groups of operating systems. It also provide us with the simplest means to add another check criteria when we are quering other host(s) or listening to traffic (sniffing). A. IP TTL Field Value with ICMP Echo Replies If we would look at the ICMP Query Replies IP TTL field value than we see some patterns: - UNIX and UNIX-like operating systems use 255 as their IP TTL field value with ICMP query replies. - Compaq Tru64 5.0 is the exception, using 64 as its IP TTL field value with ICMP query replies. - Microsoft Windows operating system machines are using the value of 128. - Microsoft Windows 95 is the only Microsoft operating system to use 32 as its IP TTL field value with ICMP query messages.
This could be changed in REGISTRY: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DefaultTTL"=dword:000000ff Note: hex(ff) == dec(255) It's a obscurity way... I know... =) Sem mais, -- Nelson Brito open(S, shift || $ENV{'HOME'} . "/.signature") || die "open: $!\n"; foreach(<S>){ chop; split(//, $_); print reverse @_; print "\n"; } close(S); -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000again and more) Nelson Brito (Sep 01)