Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more)

Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more)

From: Stéphane OMNES <stephane.omnes_at_AQL.FR>
Date: Fri, 1 Sep 2000 16:38:03 +0200

Ofir Arkin wrote (Thu, 31 Aug 2000 13:39:36 +0200) :

> The IP TTL field value with ICMP has two separate values, one for ICMP
query
> messages and one for ICMP query replies.
> The TTL field value help us identify certain operating systems and
groups of
> operating systems. It also provide us with the simplest means to add
another
> check criteria when we are quering other host(s) or listening to
traffic
> (sniffing).

> A. IP TTL Field Value with ICMP Echo Replies
> If we would look at the ICMP Query Replies IP TTL field value than we
see
> some patterns :
> - UNIX and UNIX-like operating systems use 255 as their IP TTL field
value
> with ICMP query replies.

> Compaq Tru64 5.0 is the exception, using 64 as its IP TTL field value

> with ICMP query replies.
> - Microsoft Windows operating system machines are using the value of
128.
> - Microsoft Windows 95 is the only Microsoft operating system to use
32 as
> its IP TTL field value with ICMP query messages.

> With the ICMP query replies we have two operating systems that are
clearly
> distinguished from the other - Windows 95 and Compaq Tru64 5.0. Other
> operating systems are grouped into the 255 group (UNIX and UNIX-like)
and
> into the 128 group (Microsoft operating systems).

> Operating Systems tested:
> LINUX Kernel 2.2.x, Kernel 2.4t1-6; FreeBSD 4.1,4.0,3.4; OpenBSD
2.7,2.6;
> NetBSD1.4.2; Sun Solaris 2.5.1,2.6,2.7,2.8; HP-UX 10.20, 11.0; AIX
4.1, 3.2;
> Compaq Tru64 5.0; Irix 6.5.3,6.5.8; BSDI BSD/OS 4.0,3.1; Ultrix
4.2-4.5; OpenVMS 7.1-2;
> Windows 95/98/98SE/ME; Windows NT 4 Workstation SP3, SP4, SP6a;
Windows NT 4
> Server SP4; Windows 2000 Professional, Server, Advanced Server.

Not exactly. I tested some Linux distrib. and others OS. My results are
following :
        - RedHat 5.0 (kernel 2.0.32) : the IP TTL field with ICMP
Echo_reply message is : 64
        - RedHat 5.2 (kernel 2.0.36) : the IP TTL field with ICMP
Echo_reply message is : 64
        - RedHat 6.1 (kernel 2.2.12-20) : the IP TTL field with ICMP
Echo_reply message is : 255
        - Mandrake 7.0 (kernel 2.2.14-15) : the IP TTL field with ICMP
Echo_reply message is : 255
        - FreeBSD 4.0 : the IP TTL field with ICMP Echo_reply message is
: 255
        - Windows95 : the IP TTL field with ICMP Echo_reply message is :
32
        - Windows NT4 Workstation (SP4, SP5) : IP TTL field with ICMP
Echo_reply message is : 128
        - Windows NT4 Server (SP4, SP5) : IP TTL field with ICMP
Echo_reply message is : 128
        - Windows NT4 Primary Domain Controller (SP4) : IP TTL field
with ICMP Echo_reply message is : 128
        - Windows 2000 Professional : IP TTL field with ICMP Echo_reply
message is : 128
So, some Linux are also clearly distinguished from the others UNIX and
UNIX-like...

> B. IP TTL Field Value with ICMP Echo Requests
> One would expect that both IP TTL field values would be the same ...
> This is not true in the case of some operating systems.

> - LINUX Kernel 2.2.x & 2.4.x use 64 as their IP TTL Field Value with
ICMP Echo Requests.

It's also true for some LINUX Kernel 2.0.x. I tested the following OS :
        - RedHat 5.0 (kernel 2.0.32) : the IP TTL field with ICMP
Echo_request message is : 64
        - RedHat 5.2 (kernel 2.0.36) : the IP TTL field with ICMP
Echo_request message is : 64
        - RedHat 6.1 (kernel 2.2.12-20) : the IP TTL field with ICMP
Echo_request message is : 64
        - Mandrake 7.0( kernel 2.2.14-15) : the IP TTL field with ICMP
Echo_request message is : 64

> - FreeBSD 4.1, 4.0, 3.4; Sun Solaris 2.5.1, 2.6, 2.7, 2.8; OpenBSD
2.6, 2.7,
> NetBSD and HP UX 10.20 are using 255 as their IP TTL field value
with ICMP Echo
> requests. With the OSs listed above the same IP TTL Field value with
any
> ICMP message is given.

I confirm for FreeBSD 4.0...

> - Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4 - all
using 32
> as their IP TTL field value with ICMP Echo requests.

I confirm for Windows 95/ NT4 WorkStation SP4 / NT4 Server SP4.
I also tested successfuly Windows NT4 WorkStation SP5 / NT4 Server SP5 /
NT4 Primary Domain Controller SP4.

> - Microsoft windows 2000 is using 128 as its IP TTL Field Value with
ICMP Echo
> requests.

Right.

> We can distinguish between LINUX, Microsoft Windows 2000, The Other
> Microsoft OSs (32 group), and the 255 group.

And we can recognize some Linux Distrib. (TTL 64 group)...

Sincerely,

Stephane Omnes
AQL - Groupe SILICOMP SA
Please reply to : infos_at_aql.fr

Received on Sep 01 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]