A few more fingerprinting techniques - time and netmask

From: David G. Andersen (danderseat_private)
Date: Mon Dec 28 1998 - 15:16:40 PST

Next message: Jeff Roberson: "Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service"

Previous message: Casper Dik: "Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The release of nmap reminded me about some work I did a while ago for
yet-more-information-gathering-programs, and I thought it might be
interesting from the perspective of fingerprinting.  Various systems
handle ICMP queries in improper ways for time and netmask requests.
I discussed some of these in a bulletin I didn't bother publically
announcing (http://www.angio.net/consult/secadv/AA-1997-09-02.address-mask)
and they're somewhat relevant here.

(They're also kind of fun for figuring out if places are firewalled,
if links are point to point, if they run time synchronization, etc.)

System          ICMP Time       ICMP Mask

Windows         no              yes
FreeBSD         yes             no
Linux 1.x       yes             yes
Linux 2.x       yes             no
SunOS           yes             yes
Solaris         yes             yes
HPUX            yes             yes
Older IRIX      yes             yes
Newer IRIX      yes             no
MacOS - MacTCP  ?               no
MacOS - TCP/IP  ?               yes?
Apple Internet Server           yes

On some operating systems, these aren't the best ways for
fingerprinting, because they are configurable - FreeBSD and Solaris
allow you to control the behavior, for instance, and I'm sure other
systems may as well.

I asked CERT to send some of the information on to vendors last year
(since responding to ICMP Mask requests when you're not a router is a
violation of the host requirements RFC), but it's not really a high
priority issue. ;-)

Demonstration programs for these (I've only tested them on FreeBSD)
can be found at:

http://www.angio.net/security/icmptime.c
http://www.angio.net/security/icmpmask.c

Sample output:

torrey# ./icmptime www.yahoo.com www.freebsd.org www.netbsd.org www.openbsd.org
www.yahoo.com                           :  Mon Dec 28 16:13:06 1998
www.freebsd.org                         :  Mon Dec 28 16:13:14 1998
www.netbsd.org                          :  Mon Dec 28 16:13:05 1998
www.openbsd.org                         :  Mon Dec 28 16:13:10 1998

(real time was 16:13:06)

torrey# ./icmpmask www.cisco.com www.bay.com www.nytimes.com
www.cisco.com                           :  0xFFFFFFE0
www.bay.com                             :  0xFFFFFFE0
www.nytimes.com                         :  0xFFFFFF00

  -Dave

--
work: danderseat_private                     me:  angioat_private
      University of Utah                            http://www.angio.net/
      Computer Science - Flux Research Group

Next message: Jeff Roberson: "Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service"
Previous message: Casper Dik: "Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:31 PDT