Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat...
-
Upload
sherman-mathews -
Category
Documents
-
view
225 -
download
1
Transcript of Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat...
![Page 1: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/1.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
1
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
X Tricks with ICMP
Introducing
Playing
![Page 2: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/2.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
2
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
Ofir Arkin
Founder
http://www.sys-security.com
![Page 3: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/3.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
3
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XWhat is X?
X is a logic developed from the various Active Operating System Fingerprinting methods I have discovered during my “ICMP Usage In Scanning” research project.
What are X goals?The logic’s goal is to provide a simple, fast and efficient way to actively fingerprint an operating system using the ICMP Protocol.
Today we are using tools that are inaccurate and inconsistent with their results.
I hope X will change that.
![Page 4: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/4.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
4
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
UDP datagram send to a closed UDP portDatagram send with DF Bit Set, and dataportion of the request should contain 70
bytes.
1
No ICMP ErrorMessage Received
Host Filtered / Down
ICMP Port Unreachable ErrorMessage Received
We Play
How do we start?
We query a definitely closed UDP port. http://www.isi.edu/in-notes/iana/assignments/port-numbers
An indicator is being given for the presence of a Filtering Device
If no ICMP Error Message is received, we might use the ‘query only’ logic
![Page 5: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/5.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
5
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
Each IP Datagram has an 8-bit field called the “TOS Byte”, which represents the IP support for prioritization and Type-of-Service handling.
MBZTOSPrecedence
0 3 4 51 2 6 7
The “TOS Byte” consists of three fields.
The “Precedence field”, which is 3-bit long, is intended to prioritize the IP Datagram. It has eight levels of prioritization.
The second field, 4 bits long, is the “Type-of-Service” field. It is intended to describe how the network should make tradeoffs between throughput, delay, reliability, and cost in routing an IP Datagram.
The last field, the “MBZ” (must be zero), is unused and must be zero. Routers and hosts ignore this last field. This field is 1 bit long.
A bit about the TOS Byte
![Page 6: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/6.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
6
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XFirst Split of the Tree
We Play
Precedence Bits = 0 Precedence Bits = 0 x c 0
Linux BasedOthers
RFC 1812 Requirements for IP Version 4 Routers:“4.3.2.5 TOS and Precedence…ICMP Source Quench error messages, if sent at all, MUST have their IP Precedence field set to the same value as the IP Precedence field in the packet that provoked the sending of the ICMP Source Quench message. All other ICMP error messages (Destination Unreachable, Redirect, Time Exceeded, and Parameter Problem) SHOULD have their precedence value set to 6 (INTERNETWORK CONTROL) or 7 (NETWORK CONTROL). The IP Precedence value for these error messages MAY be settable”.
![Page 7: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/7.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
7
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XLinux is not a Router
We use IP TTL field value differences between Linux Kernel 2.0.x to Linux
Kernel 2.2.x & 2.4.x to differentiate between them.
Linux Kernel 2.4.x will use 0 as its IPID field value with ICMP Query replies
Linux Kernel 1.x does not set the Precedence field value to 0xc0 with ICMP
error messages.
Linux Based
TTL ~ 255 TTL ~ 64
Linux 2.0.xOther Linux based
IPID !=0 IPID = 0
Linux 2.4.xLinux 2.2.x
ICMP Echo Request2
![Page 8: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/8.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
8
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with Linux Kernel
2.4.x
Precedence Bits = 0xc0 > TTL ~ 255 > Echo Reply with IPID = 0 > Linux Kernel 2.4.x
[root@godfather /root]# hping2 -2 -c 2 -y -p 50 -d 70 IP_Addressppp0 default routing interface selected (according to /proc)HPING IP_Address (ppp0 IP_Address): udp mode set, 28 headers + 70 data bytesICMP Port Unreachable from IP_Address (host_address)ICMP Port Unreachable from IP_Address (host_address) --- IP_Address hping statistic ---2 packets tramitted, 0 packets received, 100% packet lossround-trip min/avg/max = 0.0/0.0/0.0 ms[root@godfather /root]#
Data Bytes to Add to the Query
Targeting UDP port 50
Setting the DF Bit
Each ICMP error message includes the Internet Protocol (IP) Header and at least the first 8 data bytes of the datagram that triggered the error (the offending datagram); more than 8 bytes may be sent according to RFC 1122.
The First Query
![Page 9: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/9.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
9
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with Linux Kernel
2.4.x06/09-17:52:36.538286 x.x.x.x:2138 -> y.y.y.y:50UDP TTL:64 TOS:0x0 ID:39033 IpLen:20 DgmLen:98 DFLen: 7858 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 XXXXXX
06/09-17:52:37.428286 y.y.y.y -> x.x.x.xICMP TTL:234 TOS:0xC0 ID:47872 IpLen:20 DgmLen:126 DFType:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE** ORIGINAL DATAGRAM DUMP:x.x.x.x:2137 -> y.y.y.y:50UDP TTL:44 TOS:0x0 ID:28549 IpLen:20 DgmLen:98Len: 78** END OF DUMP00 00 00 00 45 00 00 62 6F 85 40 00 2C 11 E6 C7 ....E..bo.@.,...xx xx xx xx yy yy yy yy 08 59 00 32 00 4E EA 74 ...=...O.Y.2.N.t58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX58 58 58 58 58 58 XXXXXX
Precedence Field Vale is 0xc0
TTL ~ 255
The First Query
![Page 10: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/10.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
10
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with Linux Kernel
2.4.x[root@godfather /root]# sing -c 2 -echo y.y.y.ySINGing to y.y.y.y (y.y.y.y): 16 data bytes16 bytes from y.y.y.y: seq=1 DF! ttl=234 TOS=0 time=1841.365 ms --- y.y.y.y sing statistics ---2 packets transmitted, 1 packets received, 50% packet lossround-trip min/avg/max = 1841.365/1841.365/1841.365 ms[root@godfather /root]#
06/09-17:57:22.188286 213.8.13.99 -> 18.170.1.79ICMP TTL:255 TOS:0x0 ID:13170 IpLen:20 DgmLen:36Type:8 Code:0 ID:18181 Seq:256 ECHO52 39 22 3B AC DF 02 00 R9";....
06/09-17:57:24.028286 18.170.1.79 -> 213.8.13.99ICMP TTL:234 TOS:0x0 ID:0 IpLen:20 DgmLen:36 DFType:0 Code:0 ID:18181 Seq:256 ECHO REPLY52 39 22 3B AC DF 02 00 R9";....
IP ID Field Value is 0
Identified as a Linux Kernel 2.4.x based machine
The Second Query
![Page 11: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/11.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
11
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
Amount of Echoed Data from theOffending Packet
Data Bytes of the OffendingPacket Echoed with the ICMP
Port Unreachable ErrorMessage = 64
OthersSun SolarisHPUX 11.x
Data Bytes of the OffendingPacket Echoed with the ICMP
Port Unreachable ErrorMessage = 8
Extreme Echoing
ICMP TimeStamp Request2
Reply No Reply
Sun Solaris2.3, 2.4, 2.5, 2.6, 2.7, 2.8
HPUX 11.x
![Page 12: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/12.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
12
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with Sun Solaris
2.717:47:00.948286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2338 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 35, id 25736) (DF) (ttl 234, id 61905) 4500 0070 f1d1 4000 ea01 fe23 yyyy yyyy xxxx xxxx 0303 085e 0000 0000 4500 0062 6488 4000 2311 526c xxxx xxxx yyyy yyyy 0922 0032 004e 4153 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
17:46:58.948286 ppp0 > x.x.x.x.2338 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 25736) 4500 0062 6488 4000 4011 356c xxxx xxxx yyyy yyyy 0922 0032 004e 4153 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
The UDP Header of the Original Datagram Echoed
Data Portion Echoed
The Size of the UDP datagram
The First Query
![Page 13: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/13.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
13
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with Sun Solaris
2.7[root@godfather /root]# sing -c 2 -tstamp y.y.y.ySINGing to y.y.y.y (y.y.y.y): 20 data bytes20 bytes from y.y.y.y: seq=0 DF! ttl=234 TOS=0 diff=107885820 bytes from y.y.y.y: seq=1 DF! ttl=234 TOS=0 diff=1078861 --- y.y.y.y sing statistics ---2 packets transmitted, 2 packets received, 0% packet loss[root@godfather /root]#
06/09-17:45:09.268286 x.x.x.x -> y.y.y.yICMP TTL:255 TOS:0x0 ID:13170 IpLen:20 DgmLen:40Type:13 Code:0 TIMESTAMP REQUESTF3 04 00 00 03 2A 62 17 00 00 00 00 00 00 00 00 .....*b.........
06/09-17:45:12.228286 y.y.y.y -> x.x.x.xICMP TTL:234 TOS:0x0 ID:17742 IpLen:20 DgmLen:40 DFType:14 Code:0 TIMESTAMP REPLYF3 04 01 00 03 2A 65 FC 03 3A DC 49 03 3A DC 49 .....*e..:.I.:.I
Identified as a Sun Solaris [2.3, 2.4, 2.5, 2.6, 2.7, 2.8] based machine
The Second Query
![Page 14: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/14.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
14
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
4 bitVersion
4 bitHeaderLength
8-bit type of service16-bit total length ( in bytes )
16-bit identification3 bitFlags
13-bit Fragment Offset
8-bit time to live( TTL )
8-bit protocol 16-bit header checksum
32-bit source IP address
Options ( if any )
32-bit destination IP address
20 bytes
0 8 16 314
Using Echoing Integrity Problems
The IP Header
![Page 15: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/15.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
15
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XUsing Echoing Integrity
ProblemsWhat are the fields which are usually being used for this Active Fingerprinting method?
IP Total Length Field Value
Miscalculation of the IP Total Length Field Value. Usually adding 20
Bytes to the original value. In some cases decreasing 20 Bytes from
the original value.
IPID
Wrong IPID Echoed. Usually because of coding / platform problems.
IP Header Checksum
Might be miscalculated or zero (0).
UDP Checksum
Might be miscalculated or zero (0).
![Page 16: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/16.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
16
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
Eight (8) Data Bytes of the Offending Packet Echoedwith the ICMP Port Unreachable Error Message
Echoing Integrity Check
IP Total Length Field Valueof the Offending Packet
Echoed isNot > 20 Bytes from the
original
IP Total Length Field Value ofthe Offending Packet Echoed> 20 Bytes from the original
AIX, BSDI, NetBSD 1.x-1.2.xOther
Using Echoing Integrity Problems
Echoing Integrity Check
IP Header Checksum of theOffending Packet Echoed
Miscalculated
IP Header Checksum of theOffending Packet Echoed
Equal 0
BSDI, NetBSD 1.x-1.2.xAIX 3.x, 4.x
![Page 17: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/17.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
17
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with AIX 3.2
17:59:32.708286 ppp0 > x.x.x.x.1874 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 9737) 4500 0062 2609 4000 4011 9da6 xxxx xxxx yyyy yyyy 0752 0032 004e 6cde 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
17:59:34.698286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.1874 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 50, id 9737, bad cksum aba6!) (DF) (ttl 240, id 14146) 4500 0038 3742 4000 f001 dca6 yyyy yyyy xxxx xxxx 0303 f516 0000 0000 4500 0076 2609 4000 3211 aba6 xxxx xxxx yyyy yyyy 0752 0032 004e 0000
(2) 8 Bytes are Echoed from the Data Portion of the Offending Packet
(1) Precedence Bits Value = 0
(3) IP Total Length Field Value Echoed is 118 while the Original
was 98
(4) IP Header Checksum Echoed is Miscalculated
![Page 18: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/18.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
18
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
BSDI, NetBSD 1.x-1.2.x
Echoing Integrity Check
IP ID of the OffendingPacket is not Echoed
Correctly
IP ID of the Offending Packetis Echoed Correctly
BSDI 4.x or NetBSD 1.x-1.2.xBig Endian
BSDI 2.x, 3.x or NetBSD 1.x-1.2.xLittle Endian
Drilling Down
![Page 19: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/19.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
19
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XUsing the IP TTL
We are using the IP Time-to-Live field value to differentiate between several
operating systems.
Linux Kernel 2.0.x is also using 64 as its IP TTL initial field value for ICMP Query
replies, but it was already identified.
Other
TTL ~ 64TTL ~ 128
Novell NetwareMicrosot Windows
DGUX / CompaqTru64
TTL ~ 32
Windows 95 Other
TTL ~ 255
![Page 20: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/20.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
20
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XIdentifying My Favorite OSs
ICMP Echo Request Code Field ! = 0 and TOS Byte = 6
2
Code Field = 0 Code Field ! = 0
Microsoft Windows Family Novell Netware
TTL ~ 32 TTL ~ 128
Other Windows Based OSsWindows 95
TOS Bits = 0TOS Bits ! = 0
Windows 2000Other Windows Based OSs
98/98SE/ME/NTsp3-/NTsp4+
Novell Netware / Microsot Windows
![Page 21: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/21.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
21
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with Windows
200018:38:45.308286 eth0 > 172.18.2.201.2411 > 172.18.2.5.re-mail-ck: udp 70 (DF) (ttl 64, id 30700) 4500 0062 77ec 4000 4011 65ac ac12 02c9 ac12 0205 096b 0032 004e 84ae 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
18:38:45.308286 eth0 < 172.18.2.5 > 172.18.2.201: icmp: 172.18.2.5 udp port re-mail-ck unreachable Offending pkt: 172.18.2.201.2411 > 172.18.2.5.re-mail-ck: udp 70 (DF) (ttl 64, id 30700) (ttl 128, id 2613) 4500 0038 0a35 0000 8001 d39d ac12 0205 ac12 02c9 0303 6e63 0000 0000 4500 0062 77ec 4000 4011 65ac ac12 02c9 ac12 0205 096b 0032 004e 84ae
(1) Precedence Bits Value = 0
(2) 8 Bytes are Echoed from the Data Portion of the Offending Packet
(3) IP Total Length Field Value Echoed is accurate
(4) TTL ~ 128
The First Query
![Page 22: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/22.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
22
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with Windows
2000The Second Query[root@godfather /root]# sing -c 2 -echo -x 26 -TOS 6 172.18.2.5SINGing to 172.18.2.5 (172.18.2.5): 16 data bytes16 bytes from 172.18.2.5: seq=0 ttl=128 TOS=0 time=1.332 ms16 bytes from 172.18.2.5: seq=1 ttl=128 TOS=0 time=0.855 ms --- 172.18.2.5 sing statistics ---2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 0.855/1.094/1.332 ms[root@godfather /root]#
06/09-18:42:11.608286 172.18.2.201 -> 172.18.2.5ICMP TTL:255 TOS:0x6 ID:13170 IpLen:20 DgmLen:36Type:8 Code:26 ID:6 Seq:0 ECHOD3 43 22 3B 1F 6D 09 00 .C";.m.. 06/09-18:42:11.608286 172.18.2.5 -> 172.18.2.201ICMP TTL:128 TOS:0x0 ID:2618 IpLen:20 DgmLen:36Type:0 Code:0 ID:6 Seq:0 ECHO REPLYD3 43 22 3B 1F 6D 09 00 .C";.m..
TOS Bits Value = 0
Code Field = 0
![Page 23: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/23.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
23
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XIdentifying My Favorite OSs
ICMP Time Stamp Request
ReplyNo Reply
Windows 98/98SEWindows ME
Windows NT SP 3-Windows NT SP 4+
3
98/98SE/ME/NTsp3-/NTsp4+
ICMP Address Mask Request
No Reply
4
ReplyNo Reply
4
Windows 98/98SEWindows MEWindows NT SP 3 -Windows NT SP 4 +
ICMP Address Mask Request
Reply
![Page 24: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/24.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
24
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with WinNT 4 SP6A
18:04:51.808286 ppp0 > x.x.x.x.2358 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 27203) 4500 0062 6a43 4000 4011 d83b xxxx xxxx yyyy yyyy 0936 0032 004e e9c9 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
18:04:53.708286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2358 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 43, id 27203) (ttl 107, id 52085) 4500 0038 cb75 0000 6b01 8c43 yyyy yyyy xxxx xxxx 0303 097d 0000 0000 4500 0062 6a43 4000 2b11 ed3b xxxx xxxx yyyy yyyy 0936 0032 004e e9c9
(1) Precedence Bits Value = 0
(2) 8 Bytes are Echoed from the Data Portion of the Offending Packet
(3) IP Total Length Field Value Echoed is accurate
(4) TTL ~ 128
The First Query
![Page 25: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/25.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
25
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with WinNT 4 SP6A
The Second Query
[root@godfather /root]# sing -c 2 -echo -x 26 -TOS 6 y.y.y.ySINGing to y.y.y.y (y.y.y.y): 16 data bytes16 bytes from y.y.y.y: seq=0 ttl=107 TOS=6 time=1801.364 ms16 bytes from y.y.y.y: seq=1 ttl=107 TOS=6 time=1812.762 ms --- y.y.y.y sing statistics ---2 packets transmitted, 2 packets received, 0% packet lossround-trip min/avg/max = 1801.364/1807.063/1812.762 ms[root@godfather /root]#
06/09-18:08:29.168286 x.x.x.x -> y.y.y.yICMP TTL:255 TOS:0x6 ID:13170 IpLen:20 DgmLen:36Type:8 Code:26 ID:21765 Seq:0 ECHOED 3B 22 3B 99 97 02 00 .;";.... 06/09-18:08:30.968286 y.y.y.y -> x.x.x.xICMP TTL:107 TOS:0x6 ID:58485 IpLen:20 DgmLen:36Type:0 Code:0 ID:21765 Seq:0 ECHO REPLYED 3B 22 3B 99 97 02 00 .;";....
TOS Bits Value Echoed
Code Field = 0
![Page 26: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/26.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
26
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XThe 3rd and 4th Queries
An Example with WinNT 4 SP6ANo answer for an ICMP Timestamp request:
[root@godfather /root]# sing -c 2 -tstamp y.y.y.ySINGing to y.y.y.y (y.y.y.y): 20 data bytes
--- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#
No answer for an ICMP Address Mask request:
[root@godfather /root]# sing -c 2 -mask y.y.y.ySINGing to y.y.y.y (y.y.y.y): 12 data bytes --- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#
Identified as a Microsoft Windows NT 4 SP 4+ based machine
![Page 27: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/27.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
27
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
Other (TTL ~ 255)DF Bit Echoing
DF Bit Not Echoed withICMP Error Message
DF Bit Echoed with ICMPError Message
OtherOpenBSD / Ultrix
Finding the “secure OS” :)
We are using a technique known as “DF Bit Echoing” with ICMP Error Messages. We set the DF Bit with our Offending Packet, and examine the ICMP Error message received to see if the DF bit was set.
Linux based on Kernel 2.2.x & 2.0.x, Ultrix, MS based OSs, Novell, HPUX, and OpenBSD are the OSs not echoing the DF bit with their ICMP Error Messages.
![Page 28: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/28.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
28
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
OpenBSD / Ultrix
ICMP Address Mask Request
No Reply
2
Ultrix 4.2-4.5OpenBSD Family
Reply
Echoing Integrity Check
UDP Checksum of theOffending Packet Echoed = 0
OpenBSD 2.1 - 2.3.xOpenBSD 2.4.x - 2.9.x
UDP Checksum of theOffending Packet Echoed ! = 0
Finding the “secure OS” :)
![Page 29: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/29.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
29
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with OpenBSD 2.8
18:11:37.578286 ppp0 > x.x.x.x.2527 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 3362) 4500 0062 0d22 4000 4011 d298 xxxx xxxx yyyy yyyy 09df 0032 004e 865c 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
18:11:39.708286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x.2527 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 43, id 3362) (ttl 232, id 56572) 4500 0038 dcfc 0000 e801 9af7 yyyy yyyy xxxx xxxx 0303 6c41 0000 0000 4500 004e 0d22 4000 2b11 e7ac xxxx xxxx yyyy yyyy 09df 0032 004e 865c
The First Query
(1) Precedence Bits Value = 0
(2) 8 Bytes are Echoed from the Data Portion of the Offending Packet
(3) IP Total Length Field Value Echoed is 20 Bytes less than the
Original
(4) TTL ~ 255
(5) The DF bit is not Echoed with the Reply
![Page 30: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/30.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
30
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with OpenBSD 2.8
The Second Query
No answer for an ICMP Address Mask request:
[root@godfather /root]# sing -c 2 -mask y.y.y.ySINGing to y.y.y.y (y.y.y.y): 12 data bytes --- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#
The last step:The last step will be to examine the UDP Checksum. Since it is echoed correctly, the OpenBSD machine that we have just identified might be one of version 2.4 – version 2.8.
![Page 31: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/31.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
31
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
DF Bit Echoed with ICMP Error Message
ICMP Address Mask Request
Reply
2
OtherOpenVMS
No Reply
ICMP Information Request
No Reply
3
OtherHPUX 10.20
No Reply
Using Echoing Integrity Problems
![Page 32: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/32.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
32
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XUsing Echoing Integrity
ProblemsEchoing Integrity Check
NetBSD 1.3 -1.3I Other
IP Header Checksum of theOffending Packet Echoed ! = 0
IP Header Checksum of theOffending Packet Echoed
Equal 0
IP ID of the OffendingPacket is not Echoed
Correctly
Echoing Integrity Check
FreeBSD 2.x - 4.1.1 Other
IP ID of the Offending Packetis Echoed Correctly
UDP Checksum of theOffending Packet Echoed =
0
Echoing Integrity Check
FreeBSD 4.1.1 - 4.3 NetBSD 1.3I-1.5IRIX 5.x, 6.x
UDP Checksum of theOffending Packet Echoed ! = 0
![Page 33: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/33.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
33
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with FreeBSD 4.0
18:21:32.158286 ppp0 > x.x.x.x.2703 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 58517) 4500 0062 e495 4000 4011 b75a xxxx xxxx yyyy yyyy 0a8f 0032 004e 41e2 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
18:21:34.078286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x > y.y.y.y: (frag 38372:78@512) (ttl 34, bad cksum d55a!) (DF) (ttl 234, id 24076) 4500 0038 5e0c 4000 ea01 941d yyyy yyyy xxxx xxxx 0303 805f 0000 0000 4500 0062 95e4 0040 2211 d55a xxxx xxxx yyyy yyyy 0a8f 0032 004e 0000
(1) Precedence Bits Value = 0
(2) 8 Bytes are Echoed from the Data Portion of the Offending Packet
(3) IP Total Length Field Value Echoed is accurate
(4) TTL ~ 255
The First Query
(5) DF Bit Echoed
![Page 34: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/34.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
34
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with FreeBSD 4.0
The 2nd and the 3rd Queries
No answer for an ICMP Address Mask request:
[root@godfather /root]# sing -c 2 -mask y.y.y.ySINGing to y.y.y.y (y.y.y.y): 12 data bytes --- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#
No Answer for an ICMP Information Request:
[root@godfather /root]# sing -c 2 -info y.y.y.ySINGing to y.y.y.y (y.y.y.y): 8 data bytes --- y.y.y.y sing statistics ---2 packets transmitted, 0 packets received, 100% packet loss[root@godfather /root]#
![Page 35: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/35.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
35
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with FreeBSD 4.0
Echoing Integrity Test: IP Header Checksum ! = 0 (it is miscalculated but not 0)
Echoing Integrity Test: IP ID of the Offending Packet is not Echoed Correctly
18:21:32.158286 ppp0 > x.x.x.x.2703 > y.y.y.y.re-mail-ck: udp 70 (DF) (ttl 64, id 58517) 4500 0062 e495 4000 4011 b75a xxxx xxxx yyyy yyyy 0a8f 0032 004e 41e2 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858
18:21:34.078286 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y.y udp port re-mail-ck unreachable Offending pkt: x.x.x.x > y.y.y.y: (frag 38372:78@512) (ttl 34, bad cksum d55a!) (DF) (ttl 234, id 24076) 4500 0038 5e0c 4000 ea01 941d yyyy yyyy xxxx xxxx 0303 805f 0000 0000 4500 0062 95e4 0040 2211 d55a xxxx xxxx yyyy yyyy 0a8f 0032 004e 0000
IP ID is not Echoed Correctly
![Page 36: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/36.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
36
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAn Example with FreeBSD 4.0
After three (3) queries and nine (9) tests we are able to determine that the questionable IP address is a FreeBSD based machine, running an OS version between 2.x – 4.1.1.
![Page 37: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/37.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
37
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAmount of Queries Used
Identified: Linux Kernel 2.0.x 1 Query AIX 3.x, 4.x 1 Query BSDI 2.x, 3.x; NetBSD 1.x-1.2.x Little Endian 1 Query BSDI 4.x; NetBSD 1.x-1.2.x Big Endian 1 Query DGUX; Compaq Tru64 1 Query Microsoft Windows 95 1 Query Linux Kernel 2.2.x 2 Queries Linux Kernel 2.4.x 2 Queries Sun Solaris 2.3, 2.4, 2.5, 2.6, 2.7, 2.8 2 Queries HPUX 11.x 2 Queries Microsoft Windows 2000 2 Queries OpenVMS 2 Queries Ultrix 2 Queries OpenBSD 2.1.x – 2.3.x 2 Queries OpenBSD 2.4.x – 2.9.x 2 Queries HPUX 10.20 3 Queries
![Page 38: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/38.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
38
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAmount of Queries Used
Identified: NetBSD 1.3 – 1.3I 3 Queries FreeBSD 2.x – 4.1.1 3 Queries FreeBSD 4.1.1 – 4.3 3 Queries NetBSD 1.3I – 1.5; IRIX 5.x, 6.x 3 Queries Microsoft Windows 98 / 98 SE 4 Queries Microsoft Windows NT SP3 - 4 Queries Microsoft Windows NT SP4 + 4 Queries Microsoft Windows ME 4 Queries
![Page 39: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/39.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
39
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XWhat’s Next?
The logic is trying to avoid several obstacles:
Using the TOS Byte (QoS enabled devices) Using Echoing Integrity problems related to IPID Platform dependent issues
Not taken into consideration: Networking Devices MacOS X
Few other problems: When involving ICMP Queries we might hit a Firewall. The Host queried might filter incoming ICMP queries but still allow ICMP error messages out. Other “firewall” presence checks should be wisely implemented with the logic. If all fail we need to turn to TCP (OH GOD!) again.
![Page 40: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/40.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
40
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XWhat’s Next?
I have faced a problem of not having enough gear and time during my ICMP research project which is 1 year old now.
The next stage of the project will be making it an Internet / “open source” based project.
You will be encouraged to send me fingerprints of your favorite OS and Networking Devices according to a criteria that can be retrieved from http://www.sys-security.com/html/projects/X.html
![Page 41: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/41.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
41
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAutomation
Automation of the logic is partially / fully available when using the following tools:
icmpID written by Simple Nomad [[email protected]] Available from http://www.nmarc.org & http://www.sys-security.com
X written by Fyodor Yarochkin [[email protected]] & Ofir Arkin [[email protected]] Available from http://www.sys-security.com
You can also perform this with a combo of script, hping2 (for example), sing and tcpdump.
![Page 42: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/42.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
42
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XAcknowledgment
Jeff Moss [[email protected]]http://www.blackhat.com
JD GlaserHe is the one that ‘bugged’ me for logic and automation.
Simple Nomad [[email protected]]http://www.nmrc.org
Fyodor Yarochkin [[email protected]]
Marty Roeschhttp://www.snort.orgImplementing my wishes into Snort
…and the huge amount of people that provided feedback for my work!
![Page 43: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/43.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
43
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XFurther Reading
ICMP Usage In Scanning, v3.0 by Ofir Arkin, http://www.sys-security.com
RFC 792: Internet Control Message Protocol, http://www.ietf.org/rfc/rfc0792.txt
RFC 1122: Requirements for Internet Hosts - Communication Layers, http://www.ietf.org/rfc/rfc1122.txt
RFC 1256: ICMP Router Discovery Messages, http://www.ietf.org/rfc/rfc1256.txt
RFC 1349: Type of Service in the Internet Protocol Suite, http://www.ietf.org/rfc/rfc1349.txt
RFC 1812: Requirements for IP Version 4 Routers, http://www.ietf.org/rfc/rfc1812.txt
![Page 44: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/44.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
44
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group XTools Used
X written by Fyodor Yarochkin & Ofir Arkinhttp://www.sys-security.com
icmpID written by Simple Nomadhttp://www.nmrc.org or http://www.sys-security.com
tcpdump http://www.tcpdump.org
Snort written by Marty Roeschhttp://www.snort.org
HPING2 written by antirez http://www.kyuzz.org/antirez/hping/
SING written by Alfredo Andres Omella http://www.sourceforge.org/projects/sing
![Page 45: Ofir Arkin [ofir@sys-security.com], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas. 1 .](https://reader033.fdocuments.us/reader033/viewer/2022051315/56649e245503460f94b12235/html5/thumbnails/45.jpg)
Ofir Arkin [[email protected]], “Introducing X: Playing Tricks with ICMP”, Black Hat Briefings ‘01, July 11-12, Las Vegas.
45
http://www.sys-security.com
Ofir Arkin, Founder, The Sys-Security Group X
Ofir Arkin
Founder
http://www.sys-security.com
Questions?