Bugtraq mailing list archives
[Corrected Post] - The DF Bit Playground (Identifying Sun Solaris)
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Wed, 13 Sep 2000 09:12:30 -0000
RFC 791 defines a three bits field used for various control flags in the IP Header. Bit 0 is the reserved flag, and must be zero. Bit 1, is called the Don’t Fragment flag, and can have two values. A value of zero (not set) is equivalent to May Fragment, and a value of one is equivalent to Don't Fragment. If this flag is set than the fragmentation of this packet at the IP level is not permitted, otherwise it is. Bit 2, is called the More Fragments bit. It can have two values. A value of zero is equivalent to (this is the) Last Fragment, and a value of 1 is equivalent to More Fragments (are coming). The next field in the IP header is the Fragment Offset field, which identifies the fragment location relative to the beginning of the original un-fragmented datagram (RFC 791, bottom of page 23). A close examination of the ICMP Query replies would reveal that some operating systems would set the DF bit with their replies. The tcpdump trace below illustrates the reply a Sun Solaris 2.7 box produced for an ICMP Echo Request. 17:10:19.538020 if 4 > 195.72.167.220 > x.x.x.x : icmp: echo request (ttl 255, id 13170) 4500 0024 3372 0000 ff01 9602 c348 a7dc xxxx xxxx 0800 54a4 8d04 0000 cbe7 bc39 8635 0800 17:10:19.905254 if 4 < x.x.x.x > 195.72.167.220: icmp: echo reply (DF) (ttl 233, id 24941) 4500 0024 616d 4000 e901 3e07 xxxx xxxx c348 a7dc 0000 5ca4 8d04 0000 cbe7 bc39 8635 0800 In the recent SING CVS (12 September 2000), written by Alfredo Andres Omella, which is available from http://sourceforge.net/projects/sing, the option for detecting if the DF bit is set on an ICMP Query reply was added, after being request by me. The following is the same ICMP Echo request & reply, this time it is presented by SING: [root@godfather bin]# ./sing -echo Host_Address SINGing to www.openbsd.org (IP_Address): 16 data bytes 16 bytes from IP_Address: icmp_seq=0 DF! ttl=233 TOS=0 time=367.314 ms 16 bytes from IP_Address: icmp_seq=1 DF! ttl=233 TOS=0 time=320.020 ms 16 bytes from IP_Address: icmp_seq=2 DF! ttl=233 TOS=0 time=370.037 ms 16 bytes from IP_Address: icmp_seq=3 DF! ttl=233 TOS=0 time=330.025 ms --- Host_Address sing statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 320.020/346.849/370.037 ms Since www.openbsd.org uses a Sun Solaris operating system, it matches our findings. ICMP Query replies for an operating system maintains the same behavioral patterns. Either they set the DF bit on all ICMP query reply types or they do not. The following operating systems where queries and checked for this kind of behavior: Linux Kernel 2.4 test 2,4,5,6; Linux Kernel 2.2.x; FreeBSD 4.0, 3.4; OpenBSD 2.7,2.6; NetBSD 1.4.1,1.4.2; BSDI BSD/OS 4.0,3.1; Solaris 2.6,2.7,2.8; HP-UX 10.20, 11.0; Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix 4.2 – 4.5; OpenVMS v7.1-2; Novel Netware 5.1 SP1, 5.0, 3.12; Microsoft Windows 98/98SE/ME, Microsoft Windows NT WRKS SP6a, Microsoft Windows NT Server SP4, Microsoft Windows 2000 Family. Only one operating system sets the DF bit on its ICMP Query replies – Sun Solaris. It distinguishes Sun Solaris from the other group of operating systems very easily. This is a simple operating system fingerprinting method, which does not require additional or unusual patterns to be set. Cheers Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer."
Current thread:
- [Corrected Post] - The DF Bit Playground (Identifying Sun Solaris) Ofir Arkin (Sep 13)