RFC 792 (Internet Control Message Protocol) suggests how the ICMP Identifier field and the ICMP Sequence Number field should be used: "The identifier and sequence number may be used by the echo sender to aid in matching the replies with the echo requests. For example, the identifier might be used like a port in TCP or UDP to identify a session, and the sequence number might be incremented on each echo request sent. The echoer returns these same values in the echo reply". It literally suggests that the ICMP Identifier field will be used to differentiate between ICMP Query messages sent to different hosts. It also suggests that the ICMP Sequence Number field will be used to differentiate between the ICMP query messages sent to the same host. The 'ping' utility with UNIX and UNIX-like operating systems has adopted this suggestion. When examining the behavior of the 'ping' utility with Microsoft Windows based operating systems I have encountered a different behavioral pattern. The next example is a trace (using the windump program - http://netgroup-serv.polito.it/windump/install/Default.htm) of ICMP Echo requests initiated by lunching two ping commands at the same time from a Microsoft Windows 2000 SP1 operating system based machine. One instant was aimed at the host 172.18.1.2, and the other at the host 172.18.1.134: E:\>windump -xnvv -s 1600 icmp windump: listening on\Device\Packet_{79C233F1-6CD7-49EB-8FA2-FA825CB1C9C3} 11:31:21.848025 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id 11071) 4500 003c 2b3f 0000 8001 b4a8 ac12 01b3 ac12 0102 0800 265c 0300 2400 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869 11:31:22.221772 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id 11075) 4500 003c 2b43 0000 8001 b420 ac12 01b3 ac12 0186 0800 255c 0300 2500 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869 11:31:22.844726 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id 11077) 4500 003c 2b45 0000 8001 b4a2 ac12 01b3 ac12 0102 0800 245c 0300 2600 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869 11:31:23.215222 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id 11078) 4500 003c 2b46 0000 8001 b41d ac12 01b3 ac12 0186 0800 235c 0300 2700 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869 11:31:23.846116 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id 11079) 4500 003c 2b47 0000 8001 b4a0 ac12 01b3 ac12 0102 0800 225c 0300 2800 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869 11:31:24.216645 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id 11080) 4500 003c 2b48 0000 8001 b41b ac12 01b3 ac12 0186 0800 215c 0300 2900 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869 As it can be seen, the ICMP Identifier field value is the same with both instances. This is regardless the fact we are using the 'ping' utility to send ICMP Echo requests to two separate hosts. The number assigned to this field is 768 decimal. So how does the 'ping' utility with Microsoft based operating systems differentiate between the different ICMP Queries? The 'ping' utility is using the Sequence Number field. For each ICMP Echo Request the ICMP Sequence Number is a unique number. The gap between one ICMP Sequence Number field value to another is 100 hex/256 decimal. This raises another interesting question. If the ICMP Identifier field has a constant value, can we identify the different Microsoft operating systems passively when someone is using the 'ping' utility to query our machines? Yes. Microsoft Windows NT - 256 Microsoft Windows 98/98SE - 512 Microsoft Windows 2000 - 512 Microsoft Windows ME – 768 Microsoft Windows 2000 Family with SP1 - 768 With the 'ping' utility with Microsoft based operating systems the values assigned for the different ICMP datagram fields are OS based (in contrast with the 'ping' utility on UNIX and UNIX-like operating systems which uses the application own values for the different ICMP datagram fields). When using other applications with Microsoft based operating systems to generate ICMP Query messages the ICMP Identifier field values will still be the same as it was with the 'ping' utility, if these applications will be using the Microsoft MFC. Therefore when ever we see an ICMP Query datagram with an ICMP Identifier field value of 256/512/768 it will indicate that the underlying operating system to be used is an MS based. We can also look at the ICMP Sequence Number field value for extra information. The 'ping' utility with MS based operating systems will issue its first ICMP Query message with the ICMP Sequence Number field set to a value of 256 (the 'ping' utility with UNIX and UNIX-like operating systems will have this field value set to 0 on its first query to a Host). This field value will increase with 256 decimal each time we send an ICMP Query message (with the UNIX and UNIX-like 'ping' utility the field value will increase only if we are sending sequential Queries. Each time we issue the 'ping' command this field value will be set to 0 on the first query to be sent). We can even calculate the number of ICMP Query messages a Windows based OS have issued since the last boot time. All we need to do is divide the ICMP Sequence number field value with 256. Microsoft can argue that their ICMP implementation is not in contrast with RFC 792, since the term that was used in order to describe the usage of the ICMP Identifier field was "may be used". But if we use common sense, than what role, in the Microsoft case, the ICMP Identifier field has? Ofir Arkin [ofir@sys-security.com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 14:50:06 PDT