The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)

["Ofir Arkin" <ofir () itcon-ltd com>]

RFC 791 defines a three bits field used for various control flags in the IP
Header.

Bit 0 is the reserved flag, and must be zero.

Bit 1, is called the Don’t Fragment flag, and can have two values. A value
of zero (not set) is equivalent to May Fragment, and a value of one is
equivalent to Don't Fragment. If this flag is set than the fragmentation of
this packet at the IP level is not permitted, otherwise it is.

Bit 2, is called the More Fragments bit. It can have two values. A value of
zero is equivalent to (this is the) Last Fragment, and a value of 1 is
equivalent to More Fragments (are coming).

The next field in the IP header is the Fragment Offset field, which
identifies the fragment location relative to the beginning of the original
un-fragmented datagram (RFC 791, bottom of page 23).

A close examination of the ICMP Query replies would reveal that some
operating systems would set the DF bit with their replies.

The tcpdump trace below illustrates the reply an OpenBSD 2.7 box produced
for an ICMP Echo Request.


17:10:19.538020 if 4  > 195.72.167.220 > x.x.x.x : icmp: echo request (ttl
255, id 13170)
                         4500 0024 3372 0000 ff01 9602 c348 a7dc
                         xxxx xxxx 0800 54a4 8d04 0000 cbe7 bc39
                         8635 0800
17:10:19.905254 if 4  < x.x.x.x > 195.72.167.220: icmp: echo reply (DF) (ttl
233, id 24941)
                         4500 0024 616d 4000 e901 3e07 xxxx xxxx
                         c348 a7dc 0000 5ca4 8d04 0000 cbe7 bc39
                         8635 0800


In the recent SING CVS (12 September 2000), written by Alfredo Andres
Omella, which is available from http://sourceforge.net/projects/sing, the
option for detecting if the DF bit is set on an ICMP Query reply was added,
after being request by me. The following is the same ICMP Echo request &
reply, this time it is presented by SING:

[root@godfather bin]# ./sing -echo Host_Address
SINGing to www.openbsd.org (IP_Address): 16 data bytes
16 bytes from IP_Address: icmp_seq=0 DF! ttl=233 TOS=0 time=367.314 ms
16 bytes from IP_Address: icmp_seq=1 DF! ttl=233 TOS=0 time=320.020 ms
16 bytes from IP_Address: icmp_seq=2 DF! ttl=233 TOS=0 time=370.037 ms
16 bytes from IP_Address: icmp_seq=3 DF! ttl=233 TOS=0 time=330.025 ms

--- Host_Address sing statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 320.020/346.849/370.037 ms


ICMP Query replies for an operating system maintains the same behavioral
patterns. Either they set the DF bit on all ICMP query reply types or they
do not.

The following operating systems where queries and checked for this kind of
behavior: Linux Kernel 2.4 test 2,4,5,6; Linux Kernel 2.2.x; FreeBSD 4.0,
3.4; OpenBSD 2.7,2.6; NetBSD 1.4.1,1.4.2; BSDI BSD/OS 4.0,3.1; Solaris
2.6,2.7,2.8; HP-UX 10.20, 11.0; Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3,
6.5.8; Ultrix 4.2 – 4.5; OpenVMS v7.1-2; Novel Netware 5.1 SP1, 5.0, 3.12;
Microsoft Windows 98/98SE/ME, Microsoft Windows NT WRKS SP6a, Microsoft
Windows NT Server SP4, Microsoft Windows 2000 Family.

Two operating systems sets the DF bit on their ICMP Query replies – Sun
Solaris & OpenBSD. It distinguishes them from the other group of operating
systems very easily.

Since Sun Solaris answer for an ICMP address mask request and OpenBSD does
not, we can distinguish between those operating systems as well (they both
answer for ICMP Timestamp request).

This is a simple operating system fingerprinting method, which does not
require additional and unusual patterns to be set.

This information was posted to Bugtraq as well.

Cheers

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).