Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Fixed: ICMP Error Message Quoting Size with Different OSs

From: "Ofir Arkin" <ofir () sys-security com>
Date: Wed, 6 Dec 2000 17:08:47 +0100
This post is a fix to my previous post about ICMP Error Message Quoting Size
with different operating systems.
----------------------------------------------------------------------------
-

Each ICMP error message includes the Internet Protocol (IP) Header and at
least the first 8 data bytes of the datagram that triggered the error (the
offending datagram); more than 8 bytes may be sent according to RFC 1122.

Most of the operating systems will quote the offending packets IP Header and
the first 8 data bytes of the datagram that triggered the error. Several
operating systems and networking devices will parse the RFC guidelines a bit
different and will echo more than 8 bytes.

Which operating systems will quote more?
LINUX based on Kernel 2.0.x/2.2.x/2.4.t-x, Sun Solaris, HPUX 11.x, MacOS
7.55/8.x/9.04, Nokia boxes, Foundry Switches (and other OSs and several
Networking Devices) are a good example.

The fact is not new. Fyodor outlined this in his article "Remote OS
Identification by TCP/IP Fingerprinting"
(http://www.insecure.org/nmap/nmap-fingerprinting-article.html).

The idea is in trying to differentiate between the different operating
systems that quote more than the usual. How can this be done? Looking for
example on the amount of information quoted. Is there a limit to the quoted
size? Will the quoted data be the entire offending packet or just part of
it? Will the quoted data be the echoed correctly? Will extra bytes will be
padded to the echoed data? and some other parameters.

The next example is with Sun Solaris 7. I have sent a UDP datagram to a
closed UDP port:

00:13:35.559947 ppp0 > x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 64, id 44551)
                         4500 001c ae07 0000 4011 7aa4 xxxx xxxx
                         yyyy yyyy 043c 07d0 0008 a1ac

00:13:35.923691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
unreachable Offending pkt: x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 45, id
44551) (DF) (ttl 236, id 63417)
                         4500 0038 f7b9 4000 ec01 44e5 yyyy yyyy
                         xxxx xxxx 0303 4f3c 0000 0000 4500 001c
                         ae07 0000 2d11 8da4 xxxx xxxx yyyy yyyy
                         043c 07d0 0008 a1ac

Please note that for having more than 8 data bytes quoted, you need to have
data in the offending datagram. If not, there is nothing to quote beyond the
regular 8 bytes (usually, if the OS is not padding other data bytes).

The next example is with Sun Solaris 8. I have sent a UDP datagram to a
closed UDP port, adding 80 bytes of data to the datagram.

[root@godfather]# hping2 -2 -d 80 -c 1 y.y.y.y
eth0 default routing interface selected (according to /proc)
HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 80 data bytes
ICMP Port Unreachable from y.y.y.y (y.y.y.y)

--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

The tcpdump trace:

11:52:50.830383 eth0 > x.x.x.x.2198 > y.y.y.y.0: udp 80 (ttl 64, id 17240)
                         4500 006c 4358 0000 4011 99ae xxxx xxxx
                         yyyy yyyy 0896 0000 0058 8b5f 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858

11:52:51.367331 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
unreachable Offending pkt: x.x.x.x.2198 > y.y.y.y.0: udp 80 (ttl 48, id
17240) (DF) (ttl 231, id 49576)
                         4500 0070 c1a8 4000 e701 3469 yyyy yyyy
                         xxxx xxxx 0303 bf05 0000 0000 4500 006c
                         4358 0000 3011 a9ae xxxx xxxx yyyy yyyy
                         0896 0000 0058 8b5f 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858

The result is an ICMP Port Unreachable Error message that will echo only 64
bytes of the offending datagram’s data portion.

The limit of 64 bytes quoted from the offending packet’s data portion is not
limited to Sun Solaris only. HPUX 11.x, MacOS 7.55/8.x/9.04, will do the
same.

Other operating systems / networking devices will have their own barriers.
For example, LINUX based on Kernel 2.2.x/2.4.x-t will send and ICMP Error
Message up to 576 bytes long. LINUX will quote 528 bytes from the data
portion of the offending packet (576 minus 20 bytes of usuall IP Header,
minus 8 bytes of the ICMP Header, minus the offending packet’s IP Header
that is 20 bytes will leave you with 528 bytes of data portion. This is no
IP options are presented).

I know an operating system, and a family of networking devices that will pad
extra data to the echoed offending packet.

See my next posts.

This information was posted to bugtraq as well.

Ofir Arkin
ofir () sys-security com
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

Copyright 2000 Sys-Security.com & Ofir Arkin   All rights reserved


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: