RE: Multiple IP on the same server howo to idenfity

["Amin Tora" <atora () EPLUS com>]

Frank! Very good example!!!   :)

I teach firewall classes, and one of the vendors I deal with has the
ability to (spoof/hide/change) IP ID's, TCP ISN's, TTL's, etc. on the
fly for all traffic and always suggest that these features are turned on
to make it harder for attackers during reconnaissance attacks...  


Amin Tora, CISSP, CHSP
Security Consultant
ePlus Technology Inc.
13595 Dulles Technology Drive
Herndon, VA 20171
office: 703-793-1330
cell: 703-675-0738
web: http://www.eplustechnology.com
email: atora-at-eplus.com

**NOTICE**
------------------------------------------
THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY
ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL.
DISTRIBUTION OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS
PROHIBITED. ANY DISCLOSURE, COPYING, DISTRIBUTION OR USE OF THE CONTENTS
OF THIS TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN
THEIR INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS
TRANSMISSION IN ERROR, PLEASE CONTACT THE SENDER.
------------------------------------------
 

-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us] 
Sent: Tuesday, June 15, 2004 5:33 PM
To: Lovell, Edward (Contractor)
Cc: NetExpress; pen-test () securityfocus org
Subject: RE: Multiple IP on the same server howo to idenfity

On Mon, 2004-06-14 at 10:52, Lovell, Edward (Contractor) wrote:
> Could you please post to the list any IP finger printing data or links

> you may have.


I'm confused as to what you consider "IP finger printing data". What I
said was that the OP should keep an eye on the IP ID's and TTL's when
communicating with the hosts while trying to figure out if they share
physical hosts.

Consider this portscan/tcpdump result:

x.x.x.2: tcp/25 open - IP ID between 1000 and 1100, TTL (of received
packets) is 105
x.x.x.3: tcp/110 open - IP ID between 1000 and 1100, TTL is 105
x.x.x.4: tcp/21 open - IP ID is between 2000 and 2500, TTL is 105
x.x.x.5: tcp/80 open - IP ID is between 2000 and 2600, TTL is 106
x.x.x.6: tcp/443 open - IP ID is completely random, TTL is 233
x.x.x.7: tcp/80 open - IP ID is completely random, TTL is 233
x.x.x.8: tcp/53 open - IP ID is completely random, TTL is 42

Your traceroute to .5 reveals that it is right on the Internet (between
router and a firewall). Traceroutes to .2 and .3 reply with the same IP
twice. From the Characteristic above, you can guess that .2 and .3 are
the same host, and are most likely Windows boxes (default TTL of 128),
and directly behind a firewall. However, .4, even though the IP ID is in
about the same range as .2 and .3, is one hop shorter, right between the
router and the firewall. Seemingly also a Windows box. .6's IP ID is
completely random, some Unix host with a default TTL of 255. The TTL of
a Windows host behind the firewall was 105, so 105-128+255 is 233, which
means that this Unix box is also directly one hop behind the firewall.
(one tick lower means one more hop away in a WAN).

Now, .7 also has the same distance, but since the IP ID is completely
random, you can not say for sure that this IP is assigned to the same
box that uses .6. Could be, maybe not. Examination of the banners is
needed. You'll find that using Netcat over OpenSSL, .6 is an AIX box
while .7 is a Linux box. But if the TTL were different, you could be
sure right away that these are two different physical hosts.

Now to .8. It sits right on the Internet like .5 (106-128+64=42). A
completely random IP ID hints on Unix. FreeBSD has a default TTL of 64,
so it could be a BSD, or something else. (Feel free to continue this
exercise yourself)


So, by just observing certain IP ID and TTL values, you are able to
create a good estimate of a network map. Complement that with banner
information, and you will get more precise.


Perhaps it becomes clear now that -- from a defensive perspective --
changing IP values such as default TTLs can be of use by making network
profiling harder. Perhaps you might want to use 230 as a default TTL for
your Windows box. I'm sure that will confuse nmap and human pentesters
alike :)

Hope this helps.

Regards,
Frank