Home page logo

bugtraq logo Bugtraq mailing list archives

Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000 again and more)
From: Frank Knobbe <FKnobbe () KNOBBEITS COM>
Date: Fri, 1 Sep 2000 13:14:19 -0500

Hash: SHA1

-----Original Message-----
From: Ofir Arkin [mailto:ofir () ITCON-LTD COM]
Sent: Thursday, August 31, 2000 6:40 AM

- Windows 95/98/98SE/ME/NT4 WRKS SP3,SP4,SP6a/NT4 Server SP4 
- all using 32
  as their IP TTL field value with ICMP Echo requests.
What if we do not get a match?
Than we know that some one changed the default TTL field value in
his machine.  

Please note that some networking devices might have values 
similar to those
presented here.

Some might say, that setting the default TTL value with ICMP could
be altered. True. Just do it!  

Windows NT uses 128 as the default. This can (and should) be changed
with following Registry key entry:

DefaultTTL     REG_DWORD     1–255 seconds

Default:        Windows NT 4.0  128
Windows NT 3.51 and earlier     32
Specifies the default Time To Live (TTL) value set in the header of
outgoing IP packets. The TTL determines the maximum amount of time an
IP packet can live on the network without reaching its destination.
It limits the number of routers an IP packet can pass through before
being discarded.


Windows NT does not add this value to the Registry. You can add it by
editing the Registry or by using a program that edits the Registry.

There are many more important and interesting IP settings. For more
information, consult the file REGENTRY.HLP that comes with the
Windows NT Resource Kit.


BTW: My NT machines appear to be Unix ;)

Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]