mailing list archives
FW: Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Sat, 5 Aug 2000 15:07:10 +0200
From: Ofir Arkin [mailto:ofir () itcon-ltd com]
Sent: Saturday, August 05, 2000 2:57 PM
To: bugtraq () securityfocus com
Subject: Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP
Identifying Microsoft Windows 98/98 SE/ME/2000 Using Wrong Codes with ICMP
Ofir Arkin [ofir () itcon-ltd com]
I have decided to map which operating systems would answer to an ICMP
Timestamp Request that would have its code field not set to zero.
Interesting results were produced. The Microsoft Windows 98/98 SE/ME, and
the Microsoft Windows 2000 Professional/Server that
have answered to ICMP Timestamp requests with the code filed set to zero,
now did not produce any reply back.
Using this information it is quite easy to group together certain Microsoft
Windows operating systems using two datagrams of
ICMP Timestamp request. The first one is a regular one; the Microsoft
Windows machines that do not answer are Microsoft
Windows 95 and Microsoft Windows NT 4.0 Workstation with SP 6a (and below).
All other operating systems (that I have
checked) answered the ICMP Time stamp request (UNIX and UNIX-like). The
second stage is sending another datagram, this time
with the Code field set to a value, which is not equal to zero. The
operating systems that would not answer would include
Windows 98/98 SE/ME/2000 Professional/ 2000 Server, which are the newer
versions of Microsoft Windows operating systems.
Other operating systems would still respond with a correct answer to the
It is quite obvious that Microsoft have tried to change some of their newer
operating systems fingerprinting in later TCP/IP
implementations of their operating systems. For example, the default for
answering an ICMP Timestamp request was changed
from "no answer" to "answer", like UNIX and UNIX-like operating systems.
But the Microsoft programmers / designers /
architects / security engineers did not think about every thing apparently.
Operating Systems checked:
LINUX Kernel 2.4t2; LINUX Kernel 2.2.14; FreeBSD 4.0, 3.4; OpenBSD 2.7 &
2.6; Solaris 2.5.1, 2.6, 2.7 & 2.8; HP-UX 10.20; AIX
4.1; ULTRIX; Microsoft Windows 95 / 98 / 98SE / ME / NT 4 SP3, SP4, SP6a
WRST & SERVER / 2000 Professional & Server.
Senior Security Consultant
Personal Web page:
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
- FW: Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests Ofir Arkin (Aug 05)