Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs)
From: Aaron Campbell <aaron () MONKEY ORG>
Date: Mon, 7 May 2001 16:01:26 -0400

On Sat, 5 May 2001, Ofir Arkin wrote:

With the implementation in many operating systems, the Kernel is increasing
the IP ID field value by 1, from one packet to the next.

There is something much more interesting about non-random incrementing IP
ID numbers: you can use such operating systems to execute spoofed TCP port
scans. I have explained this technique (originally described on Bugtraq
over 2 years ago, see the below URL) to security expert friends of mine
who weren't aware of it at all.

Imagine three hosts:

Host A - Attacker.
Host B - Idle machine, OS that increments IP IDs by fixed amount each pkt.
Host C - Victim.

Suppose Host A would like to know if port 22 is listening on Host C.

Host A communicates initially with Host B to determine Host B's current IP
ID number and takes note of it. Host A sends a TCP SYN packet to port 22
of Host C with the src address field spoofed as Host B. If the port is
open, Host C sends a SYN/ACK packet to Host B in response. If the port is
closed, an RST is sent back instead. In the case of the open port, Host B
would respond to the SYN/ACK with an RST. In the case of the closed port,
Host B would ignore the RST and perform no action.

Once this is done, Host A communicates once again with Host B to determine
the current IP ID and compares it with the saved one from before. If port
22 was open on Host C, Host B responded with an RST, increasing its IP ID
by one. If it was closed, Host B responded with nothing and the IP ID did
not change. Therefore, in the case where "fixed amount" = 1, the IP ID has
increased by 2 if the port was open or 1 if it was closed.

I actually wrote a port scanner a long time ago to implement this method,
which seemed to work on my home network (using a Win95 box as a rogue
host) but I have long since lost the sources.

References:

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D11581

---
Aaron Campbell (aaron () monkey org || aaron () openbsd org)
http://www.monkey.org/~aaron


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]