mailing list archives
Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs)
From: Denis Ducamp <Denis.Ducamp () HSC FR>
Date: Tue, 8 May 2001 04:23:02 +0200
On Sat, May 05, 2001 at 11:21:55PM -0700, Ofir Arkin wrote:
RFC 791 gives a description about the IP Identification field.
The first ICMP Echo request sent from the Microsoft NT 4 based machine was
sent with IP ID of 28416. The second ICMP Echo request was sent with IP ID
value of 28672. Simple calculation will show a gap of 256 between the IP ID
Looking at the replies the LINUX based machine produced, we see a gap of 1
between one IP ID to the next.
This is know since a long time that Microsoft switched (or forgot to) bytes
in its IPID, look at the -W option in hping2
How Can We Use This?
We can use this information as another parameter for Active OS
fingerprinting and for Passive OS fingerprinting.
And a lot of crackers do use it to actively/passively fingerprinting
Another important use is to count the number of packets sents by a remote
system : send a packet per second and you know how many... This permit a
much more important use : to scan remote systems by spoofing its address.
Again look at the hping documentation and the bugtraq archive to know how.
Now some systems protects against been used to spoof-scan :
. OpenBSD and IPFilter(*) : IPID are random
. Linux 2.4.x : IPID is null if the packet is small enought to be carried
unfragmented in which case the DF (don't fragment) bit is set
. others perhaps ?
(*) Only IPID generated by IPFilter are random which correspond to reset
packets and icmp unreachable messages, other packets are generated by
the underlying TCP/IP stack.
Denis.Ducamp () hsc fr --- Hervé Schauer Consultants --- http://www.hsc.fr/
snort, hping & dsniff en français : http://www.groar.org/~ducamp/#sec-trad
Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
Netiquette Guidelines .... http://www.pasteur.fr/infosci/RFC/18xx/1855