Home page logo
/

bugtraq logo Bugtraq mailing list archives

[Corrected Post] - Using the Unused (Identifying Sun Solaris & HPUX 11.0 OSs)
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Wed, 13 Sep 2000 09:16:33 -0000

RFC 791 defines a three bits field used for various control flags in the IP
Header. Bit 0 of this bits field is the reserved flag, and must be zero
according
to the RFC.

What will happen if we will decide to break this definition and send our
ICMP
Query requests with this bit set (having the value of one)?

Sun Solaris & HPUX 11.0 will echo back the reserved bit.

This is a tcpdump trace describing an ICMP Echo request sent with the
reserved
Bit set, and the ICMP Echo reply we received echoing the reserved bit. This
trace
was produced against an HPUX 11.0 machine.

21:31:21.033366 if 4  > 195.72.167.186 > x.x.x.x: icmp: echo request (ttl
255, id 13170)
                         4500 0024 3372 8000 ff01 fc8c c348 a7ba
                         xxxx xxxx 0800 8b1b 8603 0000 f924 bd39
                         3082 0000
21:31:21.317916 if 4  < x.x.x.x > 195.72.167.186: icmp: echo reply (ttl 236,
id 25606)
                         4500 0024 6406 8000 ec01 def8 xxxx xxxx
                         c348 a7ba 0000 931b 8603 0000 f924 bd39
                   3082 0000

The next trace was produced against a Sun Solaris 2.8 machine:

16:51:37.470995 if 4  > 195.72.167.220 > x.x.x.x: icmp: echo request (ttl
255, id 13170)
                         4500 0024 3372 8000 ff01 e0e1 c348 a7dc
                         xxxx xxxx 0800 edae 3004 0000 69e3 bc39
                         ad2f 0700
16:51:37.745254 if 4  < x.x.x.x > 195.72.167.220: icmp: echo reply (DF) (ttl
243, id 5485)
                         4500 0024 156d c000 f301 cae6 xxxx xxxx
                         c348 a7dc 0000 f5ae 3004 0000 69e3 bc39
                   ad2f 0700

If we examine this trace closely we can identify a distinction between Sun
Solaris
machines and HPUX machines. The DF bit will be set with the Sun Solaris ICMP
Query
replies and not with the HPUX 11.0 machines replies. We can than distinguish
between Sun Solaris and HPUX 11.0 machines.

All ICMP Query replies on the same operating system use the same pattern
(either echo
with all replies or not).  This enable us to use another ICMP Query message
type for
this fingerprinting method. If we send an ICMP Address Mask request with the
reserved
bit set, the result a Sun Solaris 2.8 machine will produce:

18:39:32.262869 if 4  > 195.72.167.147 > x.x.x.x : icmp: address mask
request (ttl 255, id 13170)
                         4500 0020 3372 8000 ff01 e12e c348 a793
                         xxxx xxxx 1100 a0fb 4e04 0000 0000 0000
18:39:32.561373 if 4  < x.x.x.x > 195.72.167.147: icmp: address mask is
0xffffff00 (DF) (ttl 243, id 51792)
                         4500 0020 ca50 c000 f301 1650 xxxx xxxx
                         c348 a793 1200 a0fa 4e04 0000 ffff ff00

We will have both the reserved and the DF bit set on the ICMP Address Mask
reply, a
unique pattern Sun Solaris machines have with ICMP Address Mask replies.

This operating system fingerprinting method enable us to identify and
distinguish between
Sun Solaris, and  HPUX 11.0.

I have asked Alfredo Andres Omella, author of SING, to incorporate the
ability to set the
reserved bit with his tool. The latest SING CVS (12 September 2000), which
is available from http://sourceforge.net/projects/sing, introduced the –U
option along with the ability to
identify if this bit is set on the reply (if any) we get:

[root () godfather bin]# ./sing -mask -U IP_Address
SINGing to IP_Address (IP_Address): 12 data bytes
12 bytes from IP_Address: icmp_seq=0 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=1 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=2 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=3 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=4 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
--- IP_Address sing statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
[root () godfather bin]#


This method was test against: Linux Kernel 2.4 test 2,4,5,6; Linux Kernel
2.2.x; FreeBSD
4.0, 3.4; OpenBSD 2.7,2.6; NetBSD 1.4.1,1.4.2; BSDI BSD/OS 4.0,3.1; Solaris
2.6,2.7,2.8;
HP-UX 10.20, 11.0; Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix
4.2 – 4.5;
OpenVMS v7.1-2; Novel Netware 5.1 SP1, 5.0, 3.12; Microsoft Windows 98/98SE,
Microsoft
Windows NT WRKS SP6a, Microsoft Windows NT Server SP4, Microsoft Windows
2000 Family.

Cheers

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."


  By Date           By Thread  

Current thread:
  • [Corrected Post] - Using the Unused (Identifying Sun Solaris & HPUX 11.0 OSs) Ofir Arkin (Sep 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault