Bugtraq mailing list archives
Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs)
From: Aaron Campbell <aaron () MONKEY ORG>
Date: Mon, 7 May 2001 16:01:26 -0400
On Sat, 5 May 2001, Ofir Arkin wrote:
With the implementation in many operating systems, the Kernel is increasing the IP ID field value by 1, from one packet to the next.
There is something much more interesting about non-random incrementing IP ID numbers: you can use such operating systems to execute spoofed TCP port scans. I have explained this technique (originally described on Bugtraq over 2 years ago, see the below URL) to security expert friends of mine who weren't aware of it at all. Imagine three hosts: Host A - Attacker. Host B - Idle machine, OS that increments IP IDs by fixed amount each pkt. Host C - Victim. Suppose Host A would like to know if port 22 is listening on Host C. Host A communicates initially with Host B to determine Host B's current IP ID number and takes note of it. Host A sends a TCP SYN packet to port 22 of Host C with the src address field spoofed as Host B. If the port is open, Host C sends a SYN/ACK packet to Host B in response. If the port is closed, an RST is sent back instead. In the case of the open port, Host B would respond to the SYN/ACK with an RST. In the case of the closed port, Host B would ignore the RST and perform no action. Once this is done, Host A communicates once again with Host B to determine the current IP ID and compares it with the saved one from before. If port 22 was open on Host C, Host B responded with an RST, increasing its IP ID by one. If it was closed, Host B responded with nothing and the IP ID did not change. Therefore, in the case where "fixed amount" = 1, the IP ID has increased by 2 if the port was open or 1 if it was closed. I actually wrote a port scanner a long time ago to implement this method, which seemed to work on my home network (using a Win95 box as a rogue host) but I have long since lost the sources. References: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D11581 --- Aaron Campbell (aaron () monkey org || aaron () openbsd org) http://www.monkey.org/~aaron
Current thread:
- Fun with IP Identification Field Values (Identifying Older MS Based OSs) Ofir Arkin (May 07)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) marvin (May 11)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) Denis Ducamp (May 11)
- Re: Fun with IP Identification Field Values (Identifying Older MSBased OSs) Crist Clark (May 15)
- Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs) Aaron Campbell (May 11)