Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat...

Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.

1

http://www.sys-security.com

Ofir Arkin, Founder, The Sys-Security Group X

X Tricks with ICMP

Introducing

Playing


2



Ofir Arkin

Founder


[email protected]


3


Ofir Arkin, Founder, The Sys-Security Group XWhat is X?

X is a logic developed from the various Active Operating System Fingerprinting methods I have discovered during my “ICMP Usage In Scanning” research project.

What are X goals?The logic’s goal is to provide a simple, fast and efficient way to actively fingerprint an operating system using the ICMP Protocol.

Today we are using tools that are inaccurate and inconsistent with their results.

I hope X will change that.


4



UDP datagram send to a closed UDP portDatagram send with DF Bit Set, and dataportion of the request should contain 70

bytes.

1

No ICMP ErrorMessage Received

Host Filtered / Down

ICMP Port Unreachable ErrorMessage Received

We Play

How do we start?

We query a definitely closed UDP port. http://www.isi.edu/in-notes/iana/assignments/port-numbers

An indicator is being given for the presence of a Filtering Device

If no ICMP Error Message is received, we might use the ‘query only’ logic


5



Each IP Datagram has an 8-bit field called the “TOS Byte”, which represents the IP support for prioritization and Type-of-Service handling.

MBZTOSPrecedence

0 3 4 51 2 6 7

The “TOS Byte” consists of three fields.

The “Precedence field”, which is 3-bit long, is intended to prioritize the IP Datagram. It has eight levels of prioritization.

The second field, 4 bits long, is the “Type-of-Service” field. It is intended to describe how the network should make tradeoffs between throughput, delay, reliability, and cost in routing an IP Datagram.

The last field, the “MBZ” (must be zero), is unused and must be zero. Routers and hosts ignore this last field. This field is 1 bit long.

A bit about the TOS Byte


6


Ofir Arkin, Founder, The Sys-Security Group XFirst Split of the Tree

We Play

Precedence Bits = 0 Precedence Bits = 0 x c 0

Linux BasedOthers

RFC 1812 Requirements for IP Version 4 Routers:“4.3.2.5 TOS and Precedence…ICMP Source Quench error messages, if sent at all, MUST have their IP Precedence field set to the same value as the IP Precedence field in the packet that provoked the sending of the ICMP Source Quench message. All other ICMP error messages (Destination Unreachable, Redirect, Time Exceeded, and Parameter Problem) SHOULD have their precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK CONTROL). The IP Precedence value for these error messages MAY be settable”.


7


Ofir Arkin, Founder, The Sys-Security Group XLinux is not a Router

We use IP TTL field value differences between Linux Kernel 2.0.x to Linux

Kernel 2.2.x & 2.4.x to differentiate between them.

Linux Kernel 2.4.x will use 0 as its IPID field value with ICMP Query replies

Linux Kernel 1.x does not set the Precedence field value to 0xc0 with ICMP

error messages.

Linux Based

TTL ~ 255 TTL ~ 64

Linux 2.0.xOther Linux based

IPID !=0 IPID = 0

Linux 2.4.xLinux 2.2.x

ICMP Echo Request2


8


Ofir Arkin, Founder, The Sys-Security Group XAn Example with Linux Kernel

2.4.x

Precedence Bits = 0xc0 > TTL ~ 255 > Echo Reply with IPID = 0 > Linux Kernel 2.4.x

[root@godfather /root]# hping2 -2 -c 2 -y -p 50 -d 70 IP_Addressppp0 default routing interface selected (according to /proc)HPING IP_Address (ppp0 IP_Address): udp mode set, 28 headers + 70 data bytesICMP Port Unreachable from IP_Address (host_address)ICMP Port Unreachable from IP_Address (host_address) --- IP_Address hping statistic ---2 packets tramitted, 0 packets received, 100% packet lossround-trip min/avg/max = 0.0/0.0/0.0 ms[root@godfather /root]#

Data Bytes to Add to the Query

Targeting UDP port 50

Setting the DF Bit

Each ICMP error message includes the Internet Protocol (IP) Header and at least the first 8 data bytes of the datagram that triggered the error (the offending datagram); more than 8 bytes may be sent according to RFC 1122.

The First Query


9



2.4.x06/09-17:52:36.538286 x.x.x.x:2138 -> y.y.y.y:50UDP TTL:64 TOS:0x0 ID:39033 IpLen:20 DgmLen:98 DFLen: 7858 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 XXXXXX

06/09-17:52:37.428286 y.y.y.y -> x.x.x.xICMP TTL:234 TOS:0xC0 ID:47872 IpLen:20 DgmLen:126 DFType:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE** ORIGINAL DATAGRAM DUMP:x.x.x.x:2137 -> y.y.y.y:50UDP TTL:44 TOS:0x0 ID:28549 IpLen:20 DgmLen:98Len: 78** END OF DUMP00 00 00 00 45 00 00 62 6F 85 40 00 2C 11 E6 C7 ....E..bo.@.,...xx xx xx xx yy yy yy yy 08 59 00 32 00 4E EA 74 ...=...O.Y.2.N.t58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 XXXXXX

Precedence Field Vale is 0xc0

TTL ~ 255

The First Query


10



2.4.x[root@godfather /root]# sing -c 2 -echo y.y.y.ySINGing to y.y.y.y (y.y.y.y): 16 data bytes16 bytes from y.y.y.y: seq=1 DF! ttl=234 TOS=0 time=1841.365 ms --- y.y.y.y sing statistics ---2 packets transmitted, 1 packets received, 50% packet lossround-trip min/avg/max = 1841.365/1841.365/1841.365 ms[root@godfather /root]#

06/09-17:57:22.188286 213.8.13.99 -> 18.170.1.79ICMP TTL:255 TOS:0x0 ID:13170 IpLen:20 DgmLen:36Type:8 Code:0 ID:18181 Seq:256 ECHO52 39 22 3B AC DF 02 00 R9";....

06/09-17:57:24.028286 18.170.1.79 -> 213.8.13.99ICMP TTL:234 TOS:0x0 ID:0 IpLen:20 DgmLen:36 DFType:0 Code:0 ID:18181 Seq:256 ECHO REPLY52 39 22 3B AC DF 02 00 R9";....

IP ID Field Value is 0

Identified as a Linux Kernel 2.4.x based machine

The Second Query


11



Amount of Echoed Data from theOffending Packet

Data Bytes of the OffendingPacket Echoed with the ICMP

Port Unreachable ErrorMessage = 64

OthersSun SolarisHPUX 11.x

Data Bytes of the OffendingPacket Echoed with the ICMP

Port Unreachable ErrorMessage = 8

Extreme Echoing

ICMP TimeStamp Request2

Reply No Reply

Sun Solaris2.3, 2.4, 2.5, 2.6, 2.7, 2.8

HPUX 11.x


12


Ofir Arkin, Founder, The Sys-Security Group XAn Example with Sun Solaris

2.717:47:00.948286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2338 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 35, id 25736) (DF) (ttl 234, id 61905) 4500 0070 f1d1 4000 ea01 fe23 yyyy yyyy xxxx xxxx 0303 085e 0000 0000 4500 0062 6488 4000 2311 526c xxxx xxxx yyyy yyyy 0922 0032 004e 4153 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

17:46:58.948286 ppp0 > x.x.x.x.2338 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 25736) 4500 0062 6488 4000 4011 356c xxxx xxxx yyyy yyyy 0922 0032 004e 4153 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

The UDP Header of the Original Datagram Echoed

Data Portion Echoed

The Size of the UDP datagram

The First Query


13


Ofir Arkin, Founder, The Sys-Security Group XAn Example with Sun Solaris

2.7[root@godfather /root]# sing -c 2 -tstamp y.y.y.ySINGing to y.y.y.y (y.y.y.y): 20 data bytes20 bytes from y.y.y.y: seq=0 DF! ttl=234 TOS=0 diff=107885820 bytes from y.y.y.y: seq=1 DF! ttl=234 TOS=0 diff=1078861 --- y.y.y.y sing statistics ---2 packets transmitted, 2 packets received, 0% packet loss[root@godfather /root]#

06/09-17:45:09.268286 x.x.x.x -> y.y.y.yICMP TTL:255 TOS:0x0 ID:13170 IpLen:20 DgmLen:40Type:13 Code:0 TIMESTAMP REQUESTF3 04 00 00 03 2A 62 17 00 00 00 00 00 00 00 00 .....*b.........

06/09-17:45:12.228286 y.y.y.y -> x.x.x.xICMP TTL:234 TOS:0x0 ID:17742 IpLen:20 DgmLen:40 DFType:14 Code:0 TIMESTAMP REPLYF3 04 01 00 03 2A 65 FC 03 3A DC 49 03 3A DC 49 .....*e..:.I.:.I

Identified as a Sun Solaris [2.3, 2.4, 2.5, 2.6, 2.7, 2.8] based machine

The Second Query


14



4 bitVersion

4 bitHeaderLength

8-bit type of service16-bit total length ( in bytes )

16-bit identification3 bitFlags

13-bit Fragment Offset

8-bit time to live( TTL )

8-bit protocol 16-bit header checksum

32-bit source IP address

Options ( if any )

32-bit destination IP address

20 bytes

0 8 16 314

Using Echoing Integrity Problems

The IP Header


15


Ofir Arkin, Founder, The Sys-Security Group XUsing Echoing Integrity

ProblemsWhat are the fields which are usually being used for this Active Fingerprinting method?

IP Total Length Field Value

Miscalculation of the IP Total Length Field Value. Usually adding 20

Bytes to the original value. In some cases decreasing 20 Bytes from

the original value.

IPID

Wrong IPID Echoed. Usually because of coding / platform problems.

IP Header Checksum

Might be miscalculated or zero (0).

UDP Checksum

Might be miscalculated or zero (0).


16



Eight (8) Data Bytes of the Offending Packet Echoedwith the ICMP Port Unreachable Error Message

Echoing Integrity Check

IP Total Length Field Valueof the Offending Packet

Echoed isNot > 20 Bytes from the

original

IP Total Length Field Value ofthe Offending Packet Echoed> 20 Bytes from the original

AIX, BSDI, NetBSD 1.x-1.2.xOther



IP Header Checksum of theOffending Packet Echoed

Miscalculated


Equal 0

BSDI, NetBSD 1.x-1.2.xAIX 3.x, 4.x


17


Ofir Arkin, Founder, The Sys-Security Group XAn Example with AIX 3.2

17:59:32.708286 ppp0 > x.x.x.x.1874 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 9737) 4500 0062 2609 4000 4011 9da6 xxxx xxxx yyyy yyyy 0752 0032 004e 6cde 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

17:59:34.698286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.1874 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 50, id 9737, bad cksum aba6!) (DF) (ttl 240, id 14146) 4500 0038 3742 4000 f001 dca6 yyyy yyyy xxxx xxxx 0303 f516 0000 0000 4500 0076 2609 4000 3211 aba6 xxxx xxxx yyyy yyyy 0752 0032 004e 0000

(2) 8 Bytes are Echoed from the Data Portion of the Offending Packet

(1) Precedence Bits Value = 0

(3) IP Total Length Field Value Echoed is 118 while the Original

was 98

(4) IP Header Checksum Echoed is Miscalculated


18



BSDI, NetBSD 1.x-1.2.x


IP ID of the OffendingPacket is not Echoed

Correctly

IP ID of the Offending Packetis Echoed Correctly

BSDI 4.x or NetBSD 1.x-1.2.xBig Endian

BSDI 2.x, 3.x or NetBSD 1.x-1.2.xLittle Endian

Drilling Down


19


Ofir Arkin, Founder, The Sys-Security Group XUsing the IP TTL

We are using the IP Time-to-Live field value to differentiate between several

operating systems.

Linux Kernel 2.0.x is also using 64 as its IP TTL initial field value for ICMP Query

replies, but it was already identified.

Other

TTL ~ 64TTL ~ 128

Novell NetwareMicrosot Windows

DGUX / CompaqTru64

TTL ~ 32

Windows 95 Other

TTL ~ 255


20


Ofir Arkin, Founder, The Sys-Security Group XIdentifying My Favorite OSs

ICMP Echo Request Code Field ! = 0 and TOS Byte = 6

2

Code Field = 0 Code Field ! = 0

Microsoft Windows Family Novell Netware

TTL ~ 32 TTL ~ 128

Other Windows Based OSsWindows 95

TOS Bits = 0TOS Bits ! = 0

Windows 2000Other Windows Based OSs

98/98SE/ME/NTsp3-/NTsp4+

Novell Netware / Microsot Windows


21


Ofir Arkin, Founder, The Sys-Security Group XAn Example with Windows

200018:38:45.308286 eth0 > 172.18.2.201.2411 > 172.18.2.5.re-mail-ck: udp 70 (DF) (ttl 64, id 30700) 4500 0062 77ec 4000 4011 65ac ac12 02c9 ac12 0205 096b 0032 004e 84ae 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

18:38:45.308286 eth0 < 172.18.2.5 > 172.18.2.201: icmp: 172.18.2.5 udp port re-mail-ck unreachable Offending pkt: 172.18.2.201.2411 > 172.18.2.5.re-mail-ck: udp 70 (DF) (ttl 64, id 30700) (ttl 128, id 2613) 4500 0038 0a35 0000 8001 d39d ac12 0205 ac12 02c9 0303 6e63 0000 0000 4500 0062 77ec 4000 4011 65ac ac12 02c9 ac12 0205 096b 0032 004e 84ae



(3) IP Total Length Field Value Echoed is accurate

(4) TTL ~ 128

The First Query


22


Ofir Arkin, Founder, The Sys-Security Group XAn Example with Windows

2000The Second Query[root@godfather /root]# sing -c 2 -echo -x 26 -TOS 6 172.18.2.5SINGing to 172.18.2.5 (172.18.2.5): 16 data bytes16 bytes from 172.18.2.5: seq=0 ttl=128 TOS=0 time=1.332 ms16 bytes from 172.18.2.5: seq=1 ttl=128 TOS=0 time=0.855 ms --- 172.18.2.5 sing statistics ---2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 0.855/1.094/1.332 ms[root@godfather /root]#

06/09-18:42:11.608286 172.18.2.201 -> 172.18.2.5ICMP TTL:255 TOS:0x6 ID:13170 IpLen:20 DgmLen:36Type:8 Code:26 ID:6 Seq:0 ECHOD3 43 22 3B 1F 6D 09 00 .C";.m.. 06/09-18:42:11.608286 172.18.2.5 -> 172.18.2.201ICMP TTL:128 TOS:0x0 ID:2618 IpLen:20 DgmLen:36Type:0 Code:0 ID:6 Seq:0 ECHO REPLYD3 43 22 3B 1F 6D 09 00 .C";.m..

TOS Bits Value = 0

Code Field = 0


23


Ofir Arkin, Founder, The Sys-Security Group XIdentifying My Favorite OSs

ICMP Time Stamp Request

ReplyNo Reply

Windows 98/98SEWindows ME

Windows NT SP 3-Windows NT SP 4+

3

98/98SE/ME/NTsp3-/NTsp4+

ICMP Address Mask Request

No Reply

4

ReplyNo Reply

4

Windows 98/98SEWindows MEWindows NT SP 3 -Windows NT SP 4 +


Reply


24


Ofir Arkin, Founder, The Sys-Security Group XAn Example with WinNT 4 SP6A

18:04:51.808286 ppp0 > x.x.x.x.2358 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 27203) 4500 0062 6a43 4000 4011 d83b xxxx xxxx yyyy yyyy 0936 0032 004e e9c9 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

18:04:53.708286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2358 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 43, id 27203) (ttl 107, id 52085) 4500 0038 cb75 0000 6b01 8c43 yyyy yyyy xxxx xxxx 0303 097d 0000 0000 4500 0062 6a43 4000 2b11 ed3b xxxx xxxx yyyy yyyy 0936 0032 004e e9c9




(4) TTL ~ 128

The First Query


25


Ofir Arkin, Founder, The Sys-Security Group XAn Example with WinNT 4 SP6A

The Second Query

[root@godfather /root]# sing -c 2 -echo -x 26 -TOS 6 y.y.y.ySINGing to y.y.y.y (y.y.y.y): 16 data bytes16 bytes from y.y.y.y: seq=0 ttl=107 TOS=6 time=1801.364 ms16 bytes from y.y.y.y: seq=1 ttl=107 TOS=6 time=1812.762 ms --- y.y.y.y sing statistics ---2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 1801.364/1807.063/1812.762 ms[root@godfather /root]#

06/09-18:08:29.168286 x.x.x.x -> y.y.y.yICMP TTL:255 TOS:0x6 ID:13170 IpLen:20 DgmLen:36Type:8 Code:26 ID:21765 Seq:0 ECHOED 3B 22 3B 99 97 02 00 .;";.... 06/09-18:08:30.968286 y.y.y.y -> x.x.x.xICMP TTL:107 TOS:0x6 ID:58485 IpLen:20 DgmLen:36Type:0 Code:0 ID:21765 Seq:0 ECHO REPLYED 3B 22 3B 99 97 02 00 .;";....

TOS Bits Value Echoed

Code Field = 0


26


Ofir Arkin, Founder, The Sys-Security Group XThe 3rd and 4th Queries

An Example with WinNT 4 SP6ANo answer for an ICMP Timestamp request:

[root@godfather /root]# sing -c 2 -tstamp y.y.y.ySINGing to y.y.y.y (y.y.y.y): 20 data bytes

--- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#

No answer for an ICMP Address Mask request:

[root@godfather /root]# sing -c 2 -mask y.y.y.ySINGing to y.y.y.y (y.y.y.y): 12 data bytes --- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#

Identified as a Microsoft Windows NT 4 SP 4+ based machine


27



Other (TTL ~ 255)DF Bit Echoing

DF Bit Not Echoed withICMP Error Message

DF Bit Echoed with ICMPError Message

OtherOpenBSD / Ultrix

Finding the “secure OS” :)

We are using a technique known as “DF Bit Echoing” with ICMP Error Messages. We set the DF Bit with our Offending Packet, and examine the ICMP Error message received to see if the DF bit was set.

Linux based on Kernel 2.2.x & 2.0.x, Ultrix, MS based OSs, Novell, HPUX, and OpenBSD are the OSs not echoing the DF bit with their ICMP Error Messages.


28



OpenBSD / Ultrix


No Reply

2

Ultrix 4.2-4.5OpenBSD Family

Reply


UDP Checksum of theOffending Packet Echoed = 0

OpenBSD 2.1 - 2.3.xOpenBSD 2.4.x - 2.9.x

UDP Checksum of theOffending Packet Echoed ! = 0

Finding the “secure OS” :)


29


Ofir Arkin, Founder, The Sys-Security Group XAn Example with OpenBSD 2.8

18:11:37.578286 ppp0 > x.x.x.x.2527 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 3362) 4500 0062 0d22 4000 4011 d298 xxxx xxxx yyyy yyyy 09df 0032 004e 865c 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

18:11:39.708286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2527 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 43, id 3362) (ttl 232, id 56572) 4500 0038 dcfc 0000 e801 9af7 yyyy yyyy xxxx xxxx 0303 6c41 0000 0000 4500 004e 0d22 4000 2b11 e7ac xxxx xxxx yyyy yyyy 09df 0032 004e 865c

The First Query



(3) IP Total Length Field Value Echoed is 20 Bytes less than the

Original

(4) TTL ~ 255

(5) The DF bit is not Echoed with the Reply


30


Ofir Arkin, Founder, The Sys-Security Group XAn Example with OpenBSD 2.8

The Second Query



The last step:The last step will be to examine the UDP Checksum. Since it is echoed correctly, the OpenBSD machine that we have just identified might be one of version 2.4 – version 2.8.


31



DF Bit Echoed with ICMP Error Message


Reply

2

OtherOpenVMS

No Reply

ICMP Information Request

No Reply

3

OtherHPUX 10.20

No Reply



32


Ofir Arkin, Founder, The Sys-Security Group XUsing Echoing Integrity

ProblemsEchoing Integrity Check

NetBSD 1.3 -1.3I Other

IP Header Checksum of theOffending Packet Echoed ! = 0


Equal 0

IP ID of the OffendingPacket is not Echoed

Correctly


FreeBSD 2.x - 4.1.1 Other

IP ID of the Offending Packetis Echoed Correctly

UDP Checksum of theOffending Packet Echoed =

0


FreeBSD 4.1.1 - 4.3 NetBSD 1.3I-1.5IRIX 5.x, 6.x

UDP Checksum of theOffending Packet Echoed ! = 0


33


Ofir Arkin, Founder, The Sys-Security Group XAn Example with FreeBSD 4.0

18:21:32.158286 ppp0 > x.x.x.x.2703 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 58517) 4500 0062 e495 4000 4011 b75a xxxx xxxx yyyy yyyy 0a8f 0032 004e 41e2 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

18:21:34.078286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x > y.y.y.y: (frag 38372:78@512) (ttl 34, bad cksum d55a!) (DF) (ttl 234, id 24076) 4500 0038 5e0c 4000 ea01 941d yyyy yyyy xxxx xxxx 0303 805f 0000 0000 4500 0062 95e4 0040 2211 d55a xxxx xxxx yyyy yyyy 0a8f 0032 004e 0000




(4) TTL ~ 255

The First Query

(5) DF Bit Echoed


34



The 2nd and the 3rd Queries



No Answer for an ICMP Information Request:

[root@godfather /root]# sing -c 2 -info y.y.y.ySINGing to y.y.y.y (y.y.y.y): 8 data bytes --- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#


35



Echoing Integrity Test: IP Header Checksum ! = 0 (it is miscalculated but not 0)

Echoing Integrity Test: IP ID of the Offending Packet is not Echoed Correctly

18:21:32.158286 ppp0 > x.x.x.x.2703 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 58517) 4500 0062 e495 4000 4011 b75a xxxx xxxx yyyy yyyy 0a8f 0032 004e 41e2 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858

18:21:34.078286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x > y.y.y.y: (frag 38372:78@512) (ttl 34, bad cksum d55a!) (DF) (ttl 234, id 24076) 4500 0038 5e0c 4000 ea01 941d yyyy yyyy xxxx xxxx 0303 805f 0000 0000 4500 0062 95e4 0040 2211 d55a xxxx xxxx yyyy yyyy 0a8f 0032 004e 0000

IP ID is not Echoed Correctly


36



After three (3) queries and nine (9) tests we are able to determine that the questionable IP address is a FreeBSD based machine, running an OS version between 2.x – 4.1.1.


37


Ofir Arkin, Founder, The Sys-Security Group XAmount of Queries Used

Identified: Linux Kernel 2.0.x 1 Query AIX 3.x, 4.x 1 Query BSDI 2.x, 3.x; NetBSD 1.x-1.2.x Little Endian 1 Query BSDI 4.x; NetBSD 1.x-1.2.x Big Endian 1 Query DGUX; Compaq Tru64 1 Query Microsoft Windows 95 1 Query Linux Kernel 2.2.x 2 Queries Linux Kernel 2.4.x 2 Queries Sun Solaris 2.3, 2.4, 2.5, 2.6, 2.7, 2.8 2 Queries HPUX 11.x 2 Queries Microsoft Windows 2000 2 Queries OpenVMS 2 Queries Ultrix 2 Queries OpenBSD 2.1.x – 2.3.x 2 Queries OpenBSD 2.4.x – 2.9.x 2 Queries HPUX 10.20 3 Queries


38


Ofir Arkin, Founder, The Sys-Security Group XAmount of Queries Used

Identified: NetBSD 1.3 – 1.3I 3 Queries FreeBSD 2.x – 4.1.1 3 Queries FreeBSD 4.1.1 – 4.3 3 Queries NetBSD 1.3I – 1.5; IRIX 5.x, 6.x 3 Queries Microsoft Windows 98 / 98 SE 4 Queries Microsoft Windows NT SP3 - 4 Queries Microsoft Windows NT SP4 + 4 Queries Microsoft Windows ME 4 Queries


39


Ofir Arkin, Founder, The Sys-Security Group XWhat’s Next?

The logic is trying to avoid several obstacles:

Using the TOS Byte (QoS enabled devices) Using Echoing Integrity problems related to IPID Platform dependent issues

Not taken into consideration: Networking Devices MacOS X

Few other problems: When involving ICMP Queries we might hit a Firewall. The Host queried might filter incoming ICMP queries but still allow ICMP error messages out. Other “firewall” presence checks should be wisely implemented with the logic. If all fail we need to turn to TCP (OH GOD!) again.


40


Ofir Arkin, Founder, The Sys-Security Group XWhat’s Next?

I have faced a problem of not having enough gear and time during my ICMP research project which is 1 year old now.

The next stage of the project will be making it an Internet / “open source” based project.

You will be encouraged to send me fingerprints of your favorite OS and Networking Devices according to a criteria that can be retrieved from http://www.sys-security.com/html/projects/X.html


41


Ofir Arkin, Founder, The Sys-Security Group XAutomation

Automation of the logic is partially / fully available when using the following tools:

icmpID written by Simple Nomad [[email protected]] Available from http://www.nmarc.org & http://www.sys-security.com

X written by Fyodor Yarochkin [[email protected]] & Ofir Arkin [[email protected]] Available from http://www.sys-security.com

You can also perform this with a combo of script, hping2 (for example), sing and tcpdump.


42


Ofir Arkin, Founder, The Sys-Security Group XAcknowledgment

Jeff Moss [[email protected]]http://www.blackhat.com

JD GlaserHe is the one that ‘bugged’ me for logic and automation.

Simple Nomad [[email protected]]http://www.nmrc.org

Fyodor Yarochkin [[email protected]]

Marty Roeschhttp://www.snort.orgImplementing my wishes into Snort

…and the huge amount of people that provided feedback for my work!


43


Ofir Arkin, Founder, The Sys-Security Group XFurther Reading

ICMP Usage In Scanning, v3.0 by Ofir Arkin, http://www.sys-security.com

RFC 792: Internet Control Message Protocol, http://www.ietf.org/rfc/rfc0792.txt

RFC 1122: Requirements for Internet Hosts - Communication Layers, http://www.ietf.org/rfc/rfc1122.txt

RFC 1256: ICMP Router Discovery Messages, http://www.ietf.org/rfc/rfc1256.txt

RFC 1349: Type of Service in the Internet Protocol Suite, http://www.ietf.org/rfc/rfc1349.txt

RFC 1812: Requirements for IP Version 4 Routers, http://www.ietf.org/rfc/rfc1812.txt


44


Ofir Arkin, Founder, The Sys-Security Group XTools Used

X written by Fyodor Yarochkin & Ofir Arkinhttp://www.sys-security.com

icmpID written by Simple Nomadhttp://www.nmrc.org or http://www.sys-security.com

tcpdump http://www.tcpdump.org

Snort written by Marty Roeschhttp://www.snort.org

HPING2 written by antirez http://www.kyuzz.org/antirez/hping/

SING written by Alfredo Andres Omella http://www.sourceforge.org/projects/sing


45



Ofir Arkin

Founder


[email protected]

Questions?

Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat...

Documents

Transcript of Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat...