1 / 45

Tricks with ICMP

X. Introducing. Playing. Tricks with ICMP. Ofir Arkin. Founder http://www.sys-security.com ofir@sys-security.com. What is X ?. X is a logic developed from the various Active Operating System Fingerprinting methods I have discovered during my “ICMP Usage In Scanning” research project.

elliot
Download Presentation

Tricks with ICMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. X Introducing Playing Tricks with ICMP

  2. Ofir Arkin Founder http://www.sys-security.com ofir@sys-security.com

  3. What is X? X is a logic developed from the various Active Operating System Fingerprinting methods I have discovered during my “ICMP Usage In Scanning” research project. What are Xgoals? The logic’s goal is to provide a simple, fast and efficient way to actively fingerprint an operating system using the ICMP Protocol. Today we are using tools that are inaccurate and inconsistent with their results. I hope X will change that.

  4. How do we start? • We query a definitely closed UDP port. • http://www.isi.edu/in-notes/iana/assignments/port-numbers • An indicator is being given for the presence of a Filtering Device • If no ICMP Error Message is received, we might use the ‘query only’ logic

  5. A bit about the TOS Byte Each IP Datagram has an 8-bit field called the “TOS Byte”, which represents the IP support for prioritization and Type-of-Service handling. The “TOS Byte” consists of three fields. The “Precedence field”, which is 3-bit long, is intended to prioritize the IP Datagram. It has eight levels of prioritization. The second field, 4 bits long, is the “Type-of-Service” field. It is intended to describe how the network should make tradeoffs between throughput, delay, reliability, and cost in routing an IP Datagram. The last field, the “MBZ” (must be zero), is unused and must be zero. Routers and hosts ignore this last field. This field is 1 bit long.

  6. First Split of the Tree RFC 1812 Requirements for IP Version 4 Routers: “4.3.2.5 TOS and Precedence … ICMP Source Quench error messages, if sent at all, MUST have their IP Precedence field set to the same value as the IP Precedence field in the packet that provoked the sending of the ICMP Source Quench message. All other ICMP error messages (Destination Unreachable, Redirect, Time Exceeded, and Parameter Problem) SHOULD have their precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK CONTROL). The IP Precedence value for these error messages MAY be settable”.

  7. Linux is not a Router • We use IP TTL field value differences between Linux Kernel 2.0.x to Linux Kernel 2.2.x & 2.4.x to differentiate between them. • Linux Kernel 2.4.x will use 0 as its IPID field value with ICMP Query replies • Linux Kernel 1.x does not set the Precedence field value to 0xc0 with ICMP error messages.

  8. An Example with Linux Kernel 2.4.x The First Query Data Bytes to Add to the Query Setting the DF Bit [root@godfather /root]# hping2 -2 -c 2 -y -p50 -d70 IP_Address ppp0 default routing interface selected (according to /proc) HPING IP_Address (ppp0 IP_Address): udp mode set, 28 headers + 70 data bytes ICMP Port Unreachable from IP_Address (host_address) ICMP Port Unreachable from IP_Address (host_address) --- IP_Address hping statistic --- 2 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@godfather /root]# Targeting UDP port 50 Each ICMP error message includes the Internet Protocol (IP) Header and at leastthe first 8 data bytes of the datagram that triggered the error (the offending datagram); more than 8 bytes maybe sent according to RFC 1122. Precedence Bits = 0xc0 > TTL ~ 255 > Echo Reply with IPID = 0 > Linux Kernel 2.4.x

  9. An Example with Linux Kernel 2.4.x The First Query 06/09-17:52:36.538286 x.x.x.x:2138 -> y.y.y.y:50 UDP TTL:64 TOS:0x0 ID:39033 IpLen:20 DgmLen:98 DF Len: 78 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 XXXXXX 06/09-17:52:37.428286 y.y.y.y -> x.x.x.x ICMPTTL:234TOS:0xC0 ID:47872 IpLen:20 DgmLen:126 DF Type:3Code:3DESTINATION UNREACHABLE: PORT UNREACHABLE ** ORIGINAL DATAGRAM DUMP: x.x.x.x:2137 -> y.y.y.y:50 UDP TTL:44 TOS:0x0 ID:28549 IpLen:20 DgmLen:98 Len: 78 ** END OF DUMP 00 00 00 00 45 00 00 62 6F 85 40 00 2C 11 E6 C7 ....E..bo.@.,... xx xx xx xx yy yy yy yy 08 59 00 32 00 4E EA 74 ...=...O.Y.2.N.t 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 XXXXXX TTL ~ 255 Precedence Field Vale is 0xc0

  10. An Example with Linux Kernel 2.4.x The Second Query [root@godfather /root]# sing -c 2 -echo y.y.y.y SINGing to y.y.y.y (y.y.y.y): 16 data bytes 16 bytes from y.y.y.y: seq=1 DF! ttl=234 TOS=0 time=1841.365 ms --- y.y.y.y sing statistics --- 2 packets transmitted, 1 packets received, 50% packet loss round-trip min/avg/max = 1841.365/1841.365/1841.365 ms [root@godfather /root]# 06/09-17:57:22.188286 213.8.13.99 -> 18.170.1.79 ICMP TTL:255 TOS:0x0 ID:13170 IpLen:20 DgmLen:36 Type:8Code:0 ID:18181 Seq:256 ECHO 52 39 22 3B AC DF 02 00 R9";.... 06/09-17:57:24.028286 18.170.1.79 -> 213.8.13.99 ICMP TTL:234 TOS:0x0 ID:0 IpLen:20 DgmLen:36 DF Type:0Code:0 ID:18181 Seq:256 ECHO REPLY 52 39 22 3B AC DF 02 00 R9";.... IP ID Field Value is 0 Identified as a Linux Kernel 2.4.x based machine

  11. Extreme Echoing

  12. An Example with Sun Solaris 2.7 The First Query 17:47:00.948286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2338 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 35, id 25736) (DF) (ttl 234, id 61905) 4500 0070 f1d1 4000 ea01 fe23 yyyy yyyy xxxx xxxx 0303 085e 0000 0000 4500 0062 6488 4000 2311 526c xxxx xxxx yyyy yyyy 0922 0032 004e 4153 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 17:46:58.948286 ppp0 > x.x.x.x.2338 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 25736) 4500 0062 6488 4000 4011 356c xxxx xxxx yyyy yyyy 0922 0032 004e 41535858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 Data Portion Echoed The UDP Header of the Original Datagram Echoed The Size of the UDP datagram

  13. An Example with Sun Solaris 2.7 The Second Query [root@godfather /root]# sing -c 2 -tstamp y.y.y.y SINGing to y.y.y.y (y.y.y.y): 20 data bytes 20 bytes from y.y.y.y: seq=0 DF! ttl=234 TOS=0 diff=1078858 20 bytes from y.y.y.y: seq=1 DF! ttl=234 TOS=0 diff=1078861 --- y.y.y.y sing statistics --- 2 packets transmitted, 2 packets received, 0% packet loss [root@godfather /root]# 06/09-17:45:09.268286 x.x.x.x -> y.y.y.y ICMP TTL:255 TOS:0x0 ID:13170 IpLen:20 DgmLen:40 Type:13 Code:0 TIMESTAMP REQUEST F3 04 00 00 03 2A 62 17 00 00 00 00 00 00 00 00 .....*b......... 06/09-17:45:12.228286 y.y.y.y -> x.x.x.x ICMP TTL:234 TOS:0x0 ID:17742 IpLen:20 DgmLen:40 DF Type:14 Code:0 TIMESTAMP REPLY F3 04 01 00 03 2A 65 FC 03 3A DC 49 03 3A DC 49 .....*e..:.I.:.I Identified as a Sun Solaris [2.3, 2.4, 2.5, 2.6, 2.7, 2.8] based machine

  14. Using Echoing Integrity Problems The IP Header

  15. Using Echoing Integrity Problems What are the fields which are usually being used for this Active Fingerprinting method? • IP Total Length Field Value Miscalculation of the IP Total Length Field Value. Usually adding 20 Bytes to the original value. In some cases decreasing 20 Bytes from the original value. • IPID Wrong IPID Echoed. Usually because of coding / platform problems. • IP Header Checksum Might be miscalculated or zero (0). • UDP Checksum Might be miscalculated or zero (0).

  16. Using Echoing Integrity Problems

  17. An Example with AIX 3.2 17:59:32.708286 ppp0 > x.x.x.x.1874 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 9737) 4500 0062 2609 4000 4011 9da6 xxxx xxxx yyyy yyyy 0752 0032 004e 6cde 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 17:59:34.698286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.1874 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 50, id 9737, badcksumaba6!) (DF) (ttl 240, id 14146) 4500 0038 3742 4000 f001 dca6 yyyy yyyy xxxx xxxx 0303 f516 0000 0000 4500 0076 2609 4000 3211 aba6 xxxx xxxx yyyy yyyy 0752 0032 004e 0000 (1) Precedence Bits Value = 0 (3) IP Total Length Field Value Echoed is 118 while the Original was 98 (2) 8 Bytes are Echoed from the Data Portion of the Offending Packet (4) IP Header Checksum Echoed is Miscalculated

  18. Drilling Down

  19. Using the IP TTL • We are using the IP Time-to-Live field value to differentiate between several operating systems. • Linux Kernel 2.0.x is also using 64 as its IP TTL initial field value for ICMP Query replies, but it was already identified.

  20. Identifying My Favorite OSs

  21. An Example with Windows 2000 The First Query 18:38:45.308286 eth0 > 172.18.2.201.2411 > 172.18.2.5.re-mail-ck: udp 70 (DF) (ttl 64, id 30700) 4500 0062 77ec 4000 4011 65ac ac12 02c9 ac12 0205 096b 0032 004e 84ae 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 18:38:45.308286 eth0 < 172.18.2.5 > 172.18.2.201: icmp: 172.18.2.5 udp port re-mail-ck unreachable Offending pkt: 172.18.2.201.2411 > 172.18.2.5.re-mail-ck: udp 70 (DF) (ttl 64, id 30700) (ttl128, id 2613) 4500 0038 0a35 0000 8001 d39d ac12 0205 ac12 02c9 0303 6e63 0000 0000 4500 0062 77ec 4000 4011 65ac ac12 02c9 ac12 0205 096b 0032 004e 84ae (1) Precedence Bits Value = 0 (3) IP Total Length Field Value Echoed is accurate (4) TTL ~ 128 (2) 8 Bytes are Echoed from the Data Portion of the Offending Packet

  22. An Example with Windows 2000 The Second Query [root@godfather /root]# sing -c 2 -echo -x26 -TOS6 172.18.2.5 SINGing to 172.18.2.5 (172.18.2.5): 16 data bytes 16 bytes from 172.18.2.5: seq=0 ttl=128 TOS=0 time=1.332 ms 16 bytes from 172.18.2.5: seq=1 ttl=128 TOS=0 time=0.855 ms --- 172.18.2.5 sing statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.855/1.094/1.332 ms [root@godfather /root]# 06/09-18:42:11.608286 172.18.2.201 -> 172.18.2.5 ICMP TTL:255 TOS:0x6 ID:13170 IpLen:20 DgmLen:36 Type:8Code:26 ID:6 Seq:0 ECHO D3 43 22 3B 1F 6D 09 00 .C";.m.. 06/09-18:42:11.608286 172.18.2.5 -> 172.18.2.201 ICMPTTL:128TOS:0x0 ID:2618 IpLen:20 DgmLen:36 Type:0Code:0 ID:6 Seq:0 ECHOREPLY D3 43 22 3B 1F 6D 09 00 .C";.m.. TOS Bits Value = 0 Code Field = 0

  23. Identifying My Favorite OSs

  24. An Example with WinNT 4 SP6A The First Query 18:04:51.808286 ppp0 > x.x.x.x.2358 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 27203) 4500 0062 6a43 4000 4011 d83b xxxx xxxx yyyy yyyy 0936 0032 004e e9c9 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 18:04:53.708286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2358 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 43, id 27203) (ttl107, id 52085) 4500 0038 cb75 0000 6b01 8c43 yyyy yyyy xxxx xxxx 0303 097d 0000 0000 4500 0062 6a43 4000 2b11 ed3b xxxx xxxx yyyy yyyy 0936 0032 004e e9c9 (1) Precedence Bits Value = 0 (3) IP Total Length Field Value Echoed is accurate (4) TTL ~ 128 (2) 8 Bytes are Echoed from the Data Portion of the Offending Packet

  25. An Example with WinNT 4 SP6A The Second Query [root@godfather /root]# sing -c 2 -echo -x26 -TOS6y.y.y.y SINGing to y.y.y.y (y.y.y.y): 16 data bytes 16 bytes from y.y.y.y: seq=0 ttl=107 TOS=6 time=1801.364 ms 16 bytes from y.y.y.y: seq=1 ttl=107 TOS=6 time=1812.762 ms --- y.y.y.y sing statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 1801.364/1807.063/1812.762 ms [root@godfather /root]# 06/09-18:08:29.168286 x.x.x.x -> y.y.y.y ICMP TTL:255 TOS:0x6 ID:13170 IpLen:20 DgmLen:36 Type:8Code:26 ID:21765 Seq:0 ECHO ED 3B 22 3B 99 97 02 00 .;";.... 06/09-18:08:30.968286 y.y.y.y -> x.x.x.x ICMP TTL:107 TOS:0x6 ID:58485 IpLen:20 DgmLen:36 Type:0Code:0 ID:21765 Seq:0 ECHO REPLY ED 3B 22 3B 99 97 02 00 .;";.... TOS Bits Value Echoed Code Field = 0

  26. An Example with WinNT 4 SP6A The 3rd and 4th Queries No answer for an ICMP Timestamp request: [root@godfather /root]# sing -c 2 -tstamp y.y.y.y SINGing to y.y.y.y (y.y.y.y): 20 data bytes --- y.y.y.y sing statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [root@godfather /root]# No answer for an ICMP Address Mask request: [root@godfather /root]# sing -c 2 -mask y.y.y.y SINGing to y.y.y.y (y.y.y.y): 12 data bytes --- y.y.y.y sing statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [root@godfather /root]# Identified as a Microsoft Windows NT 4 SP 4+ based machine

  27. Finding the “secure OS” :) We are using a technique known as “DF Bit Echoing” with ICMP Error Messages. We set the DF Bit with our Offending Packet, and examine the ICMP Error message received to see if the DF bit was set. Linux based on Kernel 2.2.x & 2.0.x, Ultrix, MS based OSs, Novell, HPUX, and OpenBSD are the OSs not echoing the DF bit with their ICMP Error Messages.

  28. Finding the “secure OS” :)

  29. An Example with OpenBSD 2.8 The First Query 18:11:37.578286 ppp0 > x.x.x.x.2527 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 3362) 4500 0062 0d22 4000 4011 d298 xxxx xxxx yyyy yyyy 09df 0032 004e 865c 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 18:11:39.708286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2527 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 43, id 3362) (ttl232, id 56572) 4500 0038 dcfc 0000 e801 9af7 yyyy yyyy xxxx xxxx 0303 6c41 0000 0000 4500 004e 0d22 4000 2b11 e7ac xxxx xxxx yyyy yyyy 09df 0032 004e 865c (1) Precedence Bits Value = 0 (5) The DF bit is not Echoed with the Reply (3) IP Total Length Field Value Echoed is 20 Bytes less than the Original (4) TTL ~ 255 (2) 8 Bytes are Echoed from the Data Portion of the Offending Packet

  30. An Example with OpenBSD 2.8 The Second Query No answer for an ICMP Address Mask request: [root@godfather /root]# sing -c 2 -mask y.y.y.y SINGing to y.y.y.y (y.y.y.y): 12 data bytes --- y.y.y.y sing statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [root@godfather /root]# The last step: The last step will be to examine the UDP Checksum. Since it is echoed correctly, the OpenBSD machine that we have just identified might be one of version 2.4 – version 2.8.

  31. Using Echoing Integrity Problems

  32. Using Echoing Integrity Problems

  33. An Example with FreeBSD 4.0 The First Query 18:21:32.158286 ppp0 > x.x.x.x.2703 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 58517) 4500 0062e495 4000 4011 b75a xxxx xxxx yyyy yyyy 0a8f 0032 004e 41e2 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 18:21:34.078286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x > y.y.y.y: (frag 38372:78@512) (ttl 34, bad cksum d55a!) (DF) (ttl234, id 24076) 4500 0038 5e0c 4000 ea01 941d yyyy yyyy xxxx xxxx 0303 805f 0000 0000 4500 0062 95e4 0040 2211 d55a xxxx xxxx yyyy yyyy 0a8f 0032 004e0000 (1) Precedence Bits Value = 0 (3) IP Total Length Field Value Echoed is accurate (5) DF Bit Echoed (4) TTL ~ 255 (2) 8 Bytes are Echoed from the Data Portion of the Offending Packet

  34. An Example with FreeBSD 4.0 The 2nd and the 3rd Queries No answer for an ICMP Address Mask request: [root@godfather /root]# sing -c 2 -mask y.y.y.y SINGing to y.y.y.y (y.y.y.y): 12 data bytes --- y.y.y.y sing statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [root@godfather /root]# No Answer for an ICMP Information Request: [root@godfather /root]# sing -c 2 -info y.y.y.y SINGing to y.y.y.y (y.y.y.y): 8 data bytes --- y.y.y.y sing statistics --- 2 packets transmitted, 0packets received, 100% packet loss [root@godfather /root]#

  35. An Example with FreeBSD 4.0 Echoing Integrity Test: IP Header Checksum ! = 0 (it is miscalculated but not 0) Echoing Integrity Test: IP ID of the Offending Packet is not Echoed Correctly 18:21:32.158286 ppp0 > x.x.x.x.2703 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 58517) 4500 0062e495 4000 4011 b75a xxxx xxxx yyyy yyyy 0a8f 0032 004e 41e2 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 18:21:34.078286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x > y.y.y.y: (frag 38372:78@512) (ttl 34, bad cksum d55a!) (DF) (ttl234, id 24076) 4500 0038 5e0c 4000 ea01 941d yyyy yyyy xxxx xxxx 0303 805f 0000 0000 4500 0062 95e4 0040 2211 d55a xxxx xxxx yyyy yyyy 0a8f 0032 004e0000 IP ID is not Echoed Correctly

  36. An Example with FreeBSD 4.0 After three (3) queries and nine (9) tests we are able to determine that the questionable IP address is a FreeBSD based machine, running an OS version between 2.x – 4.1.1.

  37. Amount of Queries Used • Identified: • Linux Kernel 2.0.x 1 Query • AIX 3.x, 4.x 1 Query • BSDI 2.x, 3.x; NetBSD 1.x-1.2.x Little Endian 1 Query • BSDI 4.x; NetBSD 1.x-1.2.x Big Endian 1 Query • DGUX; Compaq Tru64 1 Query • Microsoft Windows 95 1 Query • Linux Kernel 2.2.x 2 Queries • Linux Kernel 2.4.x 2 Queries • Sun Solaris 2.3, 2.4, 2.5, 2.6, 2.7, 2.8 2 Queries • HPUX 11.x 2 Queries • Microsoft Windows 2000 2 Queries • OpenVMS 2 Queries • Ultrix 2 Queries • OpenBSD 2.1.x – 2.3.x 2 Queries • OpenBSD 2.4.x – 2.9.x 2 Queries • HPUX 10.20 3 Queries

  38. Amount of Queries Used • Identified: • NetBSD 1.3 – 1.3I 3 Queries • FreeBSD 2.x – 4.1.1 3 Queries • FreeBSD 4.1.1 – 4.3 3 Queries • NetBSD 1.3I – 1.5; IRIX 5.x, 6.x 3 Queries • Microsoft Windows 98 / 98 SE 4 Queries • Microsoft Windows NT SP3 - 4 Queries • Microsoft Windows NT SP4 + 4 Queries • Microsoft Windows ME 4 Queries

  39. What’s Next? • The logic is trying to avoid several obstacles: • Using the TOS Byte (QoS enabled devices) • Using Echoing Integrity problems related to IPID • Platform dependent issues Not taken into consideration: • Networking Devices • MacOS X Few other problems: • When involving ICMP Queries we might hit a Firewall. • The Host queried might filter incoming ICMP queries but still allow ICMP error messages out. • Other “firewall” presence checks should be wisely implemented with the logic. • If all fail we need to turn to TCP (OH GOD!) again.

  40. What’s Next? I have faced a problem of not having enough gear and time during my ICMP research project which is 1 year old now. The next stage of the project will be making it an Internet / “open source” based project. You will be encouraged to send me fingerprints of your favorite OS and Networking Devices according to a criteria that can be retrieved from http://www.sys-security.com/html/projects/X.html

  41. Automation • Automation of the logic is partially / fully available when using the following tools: • icmpID written by Simple Nomad [thegnome@nmrc.org] Available from http://www.nmarc.org & http://www.sys-security.com • X written by Fyodor Yarochkin [fygrave@tigerteam.net] & Ofir Arkin [ofir@sys-security.com] Available from http://www.sys-security.com • You can also perform this with a combo of script, hping2 (for example), sing and tcpdump.

  42. Acknowledgment Jeff Moss [jeff@blackhat.com] http://www.blackhat.com JD Glaser He is the one that ‘bugged’ me for logic and automation. Simple Nomad [thegnome@nmrc.org] http://www.nmrc.org Fyodor Yarochkin[fygrave@tigerteam.net] Marty Roesch http://www.snort.org Implementing my wishes into Snort …and the huge amount of people that provided feedback for my work!

  43. Further Reading ICMP Usage In Scanning, v3.0 by Ofir Arkin, http://www.sys-security.com RFC 792: Internet Control Message Protocol, http://www.ietf.org/rfc/rfc0792.txt RFC 1122: Requirements for Internet Hosts - Communication Layers, http://www.ietf.org/rfc/rfc1122.txt RFC 1256: ICMP Router Discovery Messages, http://www.ietf.org/rfc/rfc1256.txt RFC 1349: Type of Service in the Internet Protocol Suite, http://www.ietf.org/rfc/rfc1349.txt RFC 1812: Requirements for IP Version 4 Routers, http://www.ietf.org/rfc/rfc1812.txt

  44. Tools Used X written by Fyodor Yarochkin& Ofir Arkin http://www.sys-security.com icmpID written by Simple Nomad http://www.nmrc.org or http://www.sys-security.com tcpdump http://www.tcpdump.org Snort written by Marty Roesch http://www.snort.org HPING2 written by antirez http://www.kyuzz.org/antirez/hping/ SING written by Alfredo Andres Omella http://www.sourceforge.org/projects/sing

  45. Questions? Ofir Arkin Founder http://www.sys-security.com ofir@sys-security.com

More Related