Nmap Announce mailing list archives
ICMP Error Message Quoting Size (Identifying Sun Solaris & LINUX based machines)
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Sat, 25 Nov 2000 01:30:41 +0200
Every ICMP error message includes the Internet Protocol (IP) Header and at least the first 8 data bytes of the datagram that triggered the error (the offending datagram); more than 8 bytes may be sent according to RFC 1122. Except for LINUX and Sun Solaris based machines all other operating systems will closely follow RFC 1122 guidelines – quoting the IP Header and the first 8 bytes of data of the offending packet. The fact is not new. Fyodor outlined this in his article "Remote OS Identification by TCP/IP Fingerprinting". The differences between LINUX and Sun Solaris regarding the extra quoting size issue were not been discussed/discovered. We must understand that there are differences between the different ICMP Error messages, not only with their meaning, but also with their implementation. I was expecting that several characters with the ICMP Error messages will be the same along all of the ICMP Error Messages, but I was wrong regarding few operating systems. If we examine LINUX 2.2.x / 2.4t-x based Kernel and Sun Solaris operating systems behavior with ICMP Port Unreachable we will see the same pattern regarding the size of quoted information. Both will quote the entire offending packet. The next example is with Sun Solaris 7. I have sent a UDP datagram to a closed UDP port: 00:13:35.559947 ppp0 > x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 64, id 44551) 4500 001c ae07 0000 4011 7aa4 xxxx xxxx yyyy yyyy 043c 07d0 0008 a1ac 00:13:35.923691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000 unreachable Offending pkt: x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 45, id 44551) (DF) (ttl 236, id 63417) 4500 0038 f7b9 4000 ec01 44e5 yyyy yyyy xxxx xxxx 0303 4f3c 0000 0000 4500 001c ae07 0000 2d11 8da4 xxxx xxxx yyyy yyyy 043c 07d0 0008 a1ac The following example is with LINUX based on Kernel 2.2.16 as the targeted machine: 00:21:30.199408 ppp0 > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732) 4500 001c 06c4 0000 4011 c895 xxxx xxxx yyyy yyyy 0812 07d0 0008 4484 00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000 unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id 1732) [tos 0xc0] (ttl 238, id 53804) 45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy xxxx xxxx 0303 a88e 0000 0000 4500 001c 06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy 0812 07d0 0008 4484 So where are the differences with the offending packet quoted size? (We have other parameters to differentiate between LINUX and Sun Solaris, like the Precedence Bits value LINUX uses with the ICMP Error Messages). The differences show up with other ICMP Error Messages. Lets look at the ICMP Protocol Unreachable error message both LINUX and Sun Solaris produce for a datagram (or a packet) sent using a protocol field value which does not represent a valid protocol on the targeted machines. The next example is with Sun Solaris 7: 14:18:09.187737 ppp0 > x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 51, id 23541) 4500 0014 5bf5 0000 334a d5ab xxxx xxxx yyyy yyyy 14:18:09.564828 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 74 unreachable Offending pkt: x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 34, id 23541) (DF) (ttl 238, id 64107) 4500 0030 fa6b 4000 ee01 3c61 yyyy yyyy xxxx xxxx 0302 fcfd 0000 0000 4500 0014 5bf5 0000 224a e6ab xxxx xxxx yyyy yyyy Still, the entire offending packet is being quoted. The next example is with LINUX: 13:14:56.942897 < 127.0.0.1 > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) 4500 0014 92f7 0000 2726 02cb xxxx xxxx yyyy yyyy 13:14:56.942964 > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos 0xc0] (ttl 255, id 1884) 45c0 0044 075c 0000 ff01 b59a yyyy yyyy xxxx xxxx 0302 fb1a 0000 0000 4500 0014 92f7 0000 2726 02cb xxxx xxxx yyyy yyyy 0050 dc84 ae6f 6910 0000 0000 5004 0000 bd89 0000 LINUX adds to the entire offending packet that was quoted, another 20 bytes. This pattern is applicable to ICMP Time Exceeded error messages as well. With this fingerprinting method, even if the Precedence Bits field value of the ICMP Error message LINUX produces will be changed to zero, we will be able to differentiate between LINUX based machines and Sun Solaris based machines. This technique allows us to identify Sun Solaris & LINUX based machines even if there is no port open. This info was submitted to Bugtraq as well. Ofir Arkin Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Founder http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer." -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- ICMP Error Message Quoting Size (Identifying Sun Solaris & LINUX based machines) Ofir Arkin (Nov 25)
- Re: ICMP Error Message Quoting Size (Identifying Sun Solaris & LINUX based machines) Darren Reed (Nov 25)