Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

ICMP Error Message Quoting Size (Identifying Sun Solaris & LINUX based machines)

From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Sat, 25 Nov 2000 01:30:41 +0200
Every ICMP error message includes the Internet Protocol (IP) Header and at
least the first 8 data bytes of the datagram that triggered the error (the
offending datagram); more than 8 bytes may be sent according to RFC 1122.

Except for LINUX and Sun Solaris based machines all other operating systems
will closely follow RFC 1122 guidelines – quoting the IP Header and the
first 8 bytes of data of the offending packet.

The fact is not new. Fyodor outlined this in his article "Remote OS
Identification by TCP/IP Fingerprinting". The differences between LINUX and
Sun Solaris regarding the extra quoting size issue were not been
discussed/discovered.

We must understand that there are differences between the different ICMP
Error messages, not only with their meaning, but also with their
implementation. I was expecting that several characters with the ICMP Error
messages will be the same along all of the ICMP Error Messages, but I was
wrong regarding few operating systems.

If we examine LINUX 2.2.x / 2.4t-x based Kernel and Sun Solaris operating
systems behavior with ICMP Port Unreachable we will see the same pattern
regarding the size of quoted information. Both will quote the entire
offending packet.

The next example is with Sun Solaris 7. I have sent a UDP datagram to a
closed UDP port:

00:13:35.559947 ppp0 > x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 64, id 44551)
                         4500 001c ae07 0000 4011 7aa4 xxxx xxxx
                         yyyy yyyy 043c 07d0 0008 a1ac
00:13:35.923691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
unreachable Offending pkt: x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 45, id
44551) (DF) (ttl 236, id 63417)
                         4500 0038 f7b9 4000 ec01 44e5 yyyy yyyy
                         xxxx xxxx 0303 4f3c 0000 0000 4500 001c
                         ae07 0000 2d11 8da4 xxxx xxxx yyyy yyyy
                         043c 07d0 0008 a1ac

The following example is with LINUX based on Kernel 2.2.16 as the targeted
machine:

00:21:30.199408 ppp0 > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732)
                         4500 001c 06c4 0000 4011 c895 xxxx xxxx
                         yyyy yyyy 0812 07d0 0008 4484
00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id
1732) [tos 0xc0]  (ttl 238, id 53804)
                         45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy
                         xxxx xxxx 0303 a88e 0000 0000 4500 001c
                         06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy
                         0812 07d0 0008 4484

So where are the differences with the offending packet quoted size? (We have
other parameters to differentiate between LINUX and Sun Solaris, like the
Precedence Bits value LINUX uses with the ICMP Error Messages).

The differences show up with other ICMP Error Messages. Lets look at the
ICMP Protocol Unreachable error message both LINUX and Sun Solaris produce
for a datagram (or a packet) sent using a protocol field value which does
not represent a valid protocol on the targeted machines.

The next example is with Sun Solaris 7:

14:18:09.187737 ppp0 > x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 51, id 23541)
                         4500 0014 5bf5 0000 334a d5ab xxxx xxxx
                         yyyy yyyy

14:18:09.564828 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 74
unreachable Offending pkt: x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 34, id
23541) (DF) (ttl 238, id 64107)
                         4500 0030 fa6b 4000 ee01 3c61 yyyy yyyy
                         xxxx xxxx 0302 fcfd 0000 0000 4500 0014
                         5bf5 0000 224a e6ab xxxx xxxx yyyy yyyy

Still, the entire offending packet is being quoted.

The next example is with LINUX:

13:14:56.942897   < 127.0.0.1 > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623)
                         4500 0014 92f7 0000 2726 02cb xxxx xxxx
                         yyyy yyyy
13:14:56.942964   > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable
Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos
0xc0]  (ttl 255, id 1884)
                         45c0 0044 075c 0000 ff01 b59a yyyy yyyy
                         xxxx xxxx 0302 fb1a 0000 0000 4500 0014
                         92f7 0000 2726 02cb xxxx xxxx yyyy yyyy
                         0050 dc84 ae6f 6910 0000 0000 5004 0000
                         bd89 0000

LINUX adds to the entire offending packet that was quoted, another 20 bytes.

This pattern is applicable to ICMP Time Exceeded error messages as well.

With this fingerprinting method, even if the Precedence Bits field value of
the ICMP Error message LINUX produces will be changed to zero, we will be
able to differentiate between LINUX based machines and Sun Solaris based
machines.


This technique allows us to identify Sun Solaris & LINUX based machines even
if there is no port open.

This info was submitted to Bugtraq as well.

Ofir Arkin
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Founder
http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."



--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: