Re: Identifying Kernel 2.4.x based Linux machines using UDP

[Fyodor <fyodor () insecure org>]

On Tue, Mar 19, 2002, Ofir Arkin (ofir () stake com) wrote:
> Linux Kernel 2.4.x has a bug with the UDP implementation which allows 
> both active and passive fingerprinting of Linux machines based on the 
> 2.4.x Kernel.

Actually, as Crist Clark noted, this is a feature with both security
and efficiency benefits.  It also isn't specific to UDP -- you'll find
similar TCP behavior.  Nor is it exclusive to Linux 2.4 kernels --
Some (all?) Cisco IOS 12.0 - 12.3 devices and various Linksys
broadband routers do this.

I agree that that this is useful for remote OS detection.  In fact,
the Nmap Security Scanner has been using this OS detection technique
for more than a year (since 2.54BETA20).  You can grab a copy at
http://www.insecure.org/nmap/ .

> 03/16-11:49:41.531642 192.168.1.200:1024 -> x.x.x.x:53 UDP TTL:64 
> TOS:0x0 ID:0 IpLen:20 DgmLen:63 DF
> Len: 43
> BC 0D 01 00 00 01 00 00 00 00 00 00 03 77 77 77  .............www
> 03 63 6E 6E 03 63 6F 6D 05 6C 6F 63 61 6C 00 00  .cnn.com.local..
> 01 00 01                                         ...
>
> The IP Identification field value with the UDP datagram is zero (0). The 
> value will be constant and will not be changed for future UDP datagrams 
> I will be sending.

Last year I added a feature to Nmap which automates this IPID
classification.  Give the Nmap arguments "-v -O" against the host
above and it should say "IPID Sequence Generation: All zeros".  Other
IPID classes Nmap understands include "incremental" (most machines),
"duplicated IPID" (mostly stupid devices like printers), "Broken
little-endian incremental" (Windows), "Randomized" (OpenBSD), and
"Random positive increments".  The XML output will provide the actual
ID numbers in case you want to do your own analysis.

A more recent IPID-related Nmap feature is the Idlescan (-sI).  This
clever method (discovered by Antirez) allows for a truly blind TCP
port scan -- no packets are sent to the target from your real IP
address.  Instead, a unique side-channel attack exploits predictable
IPID sequences on a chosen "zombie" host to glean information about
open ports on the target network.  IDS systems will report the scan as
coming from the zombie.  Besides being extraordinarily stealthy (due
to its blind nature), this scan type permits mapping out IP-based
trust relationships between machines.

Please excuse my blatant Nmap promoting, but IPID analysis is one of
my favorite reconnaissance techniques.  The methods are subtle, but
can provide a wealth of information to potential attackers.
Fortunately, recent versions of Linux, Solaris, and OpenBSD (among
others) address most of the issues.  Lets hope that other vendors
follow their lead.

Cheers,
Fyodor

PS: While I'm plugging Nmap, I should mention that 2.54BETA31 was just
released.  It supports ICMP netmask/timestamp "ping" requests, custom
TCP scan flags support, and other new features.
http://www.insecure.org/nmap/ .

Attachment: _bin
Description: