Home page logo
/

Nmap Announce mailing list archives

Updated: ICMP Error Message Quoting Size (Identifying Sun Solaris, HP-UX 11.x and LINUX based machines)
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Sat, 25 Nov 2000 23:27:34 +0200

Every ICMP error message includes the Internet Protocol (IP) Header and at
least the first 8 data bytes of the datagram that triggered the error (the
offending datagram); more than 8 bytes may be sent according to RFC 1122.

Except for LINUX, Sun Solaris, and HP-UX 11.x based machines all other
operating systems will closely follow RFC 1122 guidelines – quoting the IP
Header and the first 8 bytes of data of the offending packet.

The fact is not new. Fyodor outlined this in his article "Remote OS
Identification by TCP/IP Fingerprinting". The differences between LINUX, Sun
Solaris, and HP-UX 11.x regarding the extra quoting size issue were not been
discussed/discovered (The HP-UX 11.x issue was not discussed at all. I would
like to thank Darren Reed for this information).

We must understand that there are differences between the different ICMP
Error messages, not only with their meaning, but also with their
implementation. I was expecting that several characters with the ICMP Error
messages will be the same along all of the ICMP Error Messages, but I was
wrong regarding few operating systems.

If we examine LINUX 2.2.x / 2.4t-x based Kernel, Sun Solaris, and HP-UX 11.x
operating systems behavior with ICMP Port Unreachable we will see the same
pattern regarding the size of quoted information. All will quote the entire
offending packet.

The next example is with Sun Solaris 7. I have sent a UDP datagram to a
closed UDP port:

00:13:35.559947 ppp0 > x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 64, id 44551)
                         4500 001c ae07 0000 4011 7aa4 xxxx xxxx
                         yyyy yyyy 043c 07d0 0008 a1ac

00:13:35.923691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
unreachable Offending pkt: x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 45, id
44551) (DF) (ttl 236, id 63417)
                         4500 0038 f7b9 4000 ec01 44e5 yyyy yyyy
                         xxxx xxxx 0303 4f3c 0000 0000 4500 001c
                         ae07 0000 2d11 8da4 xxxx xxxx yyyy yyyy
                         043c 07d0 0008 a1ac

The next example is with LINUX based on Kernel 2.2.16 as the targeted
machine:

00:21:30.199408 ppp0 > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732)
                         4500 001c 06c4 0000 4011 c895 xxxx xxxx
                         yyyy yyyy 0812 07d0 0008 4484

00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id
1732) [tos 0xc0]  (ttl 238, id 53804)
                         45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy
                         xxxx xxxx 0303 a88e 0000 0000 4500 001c
                         06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy
                         0812 07d0 0008 4484

The next example is with HP-UX 11.x. I have added 24 bytes to the UDP
datagram sent to the closed 53 UDP port. The HP-UX 11.x machine echoed the
entire offending datagram:

[root () godfather /root]# hping2 -2 -p 53 -d 24 y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y (ppp0 y.y.y.y): udp mode set, 28 headers + 24 data bytes
ICMP Port Unreachable from y.y.y.y (unknown host name)
...

--- y.y.y.y hping statistic ---
12 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root () godfather /root]#

The tcpdump trace:

18:35:17.545090 ppp0 > x.x.x.x.1762 > y.y.y.y.domain: 22616 updateDA
[b2&3=0x5858] [22616a] [22616q] [22616n] [22616au] (24) (ttl 64, id 55748)
                         4500 0034 d9c4 0000 4011 6783 xxxx xxxx
                         yyyy yyyy 06e2 0035 0020 9b01 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858
                         5858 5858

18:35:17.857113 ppp0 < 216.169.200.44 > x.x.x.x: icmp: 216.169.200.44 udp
port domain unreachable Offending pkt: x.x.x.x.1762 > y.y.y.y.domain: 22616
updateDA [b2&3=0x5858] [22616a] [22616q] [22616n] [22616au] (24) (ttl 51, id
55748) (DF) (ttl 242, id 26777)
                         4500 0050 6899 4000 f201 e6a1 yyyy yyyy
                         xxxx xxxx 0303 36a0 0000 0000 4500 0034
                         d9c4 0000 3311 7483 xxxx xxxx yyyy yyyy
                         06e2 0035 0020 9b01 5858 5858 5858 5858
                         5858 5858 5858 5858 5858 5858 5858 5858


So where are the differences with the offending packet quoted size? (We have
other parameters to differentiate between LINUX, Sun Solaris, and HP-UX 11.x
like the Precedence Bits value LINUX uses with the ICMP Error Messages).

The differences show up with other ICMP Error Messages. Lets look at an ICMP
Protocol Unreachable error message LINUX, HP-UX 11.x and Sun Solaris produce
for a datagram (or a packet) sent using a protocol field value which does
not represent a valid protocol on the targeted machines.

The next example is with Sun Solaris 7 (HP-UX 11.x behave the same):

14:18:09.187737 ppp0 > x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 51, id 23541)
                         4500 0014 5bf5 0000 334a d5ab xxxx xxxx
                         yyyy yyyy

14:18:09.564828 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 74
unreachable Offending pkt: x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 34, id
23541) (DF) (ttl 238, id 64107)
                         4500 0030 fa6b 4000 ee01 3c61 yyyy yyyy
                         xxxx xxxx 0302 fcfd 0000 0000 4500 0014
                         5bf5 0000 224a e6ab xxxx xxxx yyyy yyyy

Still, the entire offending packet is being quoted.

The next example is with LINUX:

13:14:56.942897   < 127.0.0.1 > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623)
                         4500 0014 92f7 0000 2726 02cb xxxx xxxx
                         yyyy yyyy
13:14:56.942964   > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable
Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos
0xc0]  (ttl 255, id 1884)
                         45c0 0044 075c 0000 ff01 b59a yyyy yyyy
                         xxxx xxxx 0302 fb1a 0000 0000 4500 0014
                         92f7 0000 2726 02cb xxxx xxxx yyyy yyyy
                         0050 dc84 ae6f 6910 0000 0000 5004 0000
                         bd89 0000

LINUX adds to the entire offending packet that was quoted, another 20 bytes.

This pattern is applicable to ICMP Time Exceeded error messages as well.

With this fingerprinting method, even if the Precedence Bits field value of
the ICMP Error message LINUX produces will be changed to zero, we will be
able to differentiate between LINUX based machines and Sun Solaris & HP-UX
11.x based machines.

How can we differentiate between Sun Solaris & HP-UX 11.x?
If the PMTU discovery process based on ICMP Echo Requests is enabled
(default) on the targeted HP-UX 11.x we will see the targeted HP-UX 11.x
machine issuing ICMP Echo Requests with the DF bit set targeting our probing
host.

We have other means to differentiate between the two operating systems.


This technique allows us to identify Sun Solaris, HP-UX 11.x & LINUX based
machines even if there is no port open.

I would like to thank Darren Reed for providing the HP-UX 11.x information.

Ofir Arkin
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Founder
http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."



--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]