RFC 791 gives a description about the IP Identification field. The identification field value is used to uniquely identify the fragments of a particular datagram. Fragments of a particular datagram are assembled if they have the same source, destination, protocol, and Identifier. The identifier is being chosen to be unique for this "this source, destination pair and protocol for the time the datagram (or any fragment of it) could be alive in the internet"[1]. The IP identifier field can have 65,536 different values. It is important for an operating system to have some sort of a mechanism in order to control the identification numbers correctly. Since every operating system should have its own mechanism in order to deal with this field numbering we might find some patterns different from one operating system to another. The Gap between one IP ID field value to the next With the implementation in many operating systems, the Kernel is increasing the IP ID field value by 1, from one packet to the next. However, there are operating systems that will increase the value of the IP ID field value with a value different than 1, from one packet to the next. In the next example I have sent two ICMP Echo requests from a Windows NT 4 Server with SP6a based machine targeting a LINUX machine based on Kernel 2.2.14: 08/10-16:55:06.638539 10.0.0.117 -> 10.0.0.105 ICMP TTL:32 TOS:0x0 ID:28416 ID:256 Seq:768 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi 08/10-16:55:06.638592 10.0.0.105 -> 10.0.0.117 ICMP TTL:255 TOS:0x0 ID:1452 ID:256 Seq:768 ECHO REPLY 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi 08/10-16:55:07.639784 10.0.0.117 -> 10.0.0.105 ICMP TTL:32 TOS:0x0 ID:28672 ID:256 Seq:1024 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi 08/10-16:55:07.639841 10.0.0.105 -> 10.0.0.117 ICMP TTL:255 TOS:0x0 ID:1453 ID:256 Seq:1024 ECHO REPLY 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi The first ICMP Echo request sent from the Microsoft NT 4 based machine was sent with IP ID of 28416. The second ICMP Echo request was sent with IP ID value of 28672. Simple calculation will show a gap of 256 between the IP ID field values. Looking at the replies the LINUX based machine produced, we see a gap of 1 between one IP ID to the next. Other OSs that act the same The other operating systems that act the same are the older Microsoft based operating systems. They include – Windows 95, Windows 98, Windows 98 SE, Windows NT 4 family (regardless of the Service Pack installed). With newer versions of their operating systems (MS Windows ME, MS Windows 2000 family), Microsoft has changed this behavior, and now acts as most operating systems do. How Can We Use This? We can use this information as another parameter for Active OS fingerprinting and for Passive OS fingerprinting. One example might be when we need another parameter to differentiate between a Windows NT 4 based machine to a Windows 2000 based machine. In The Real World In the real world when we wish to use this information for fingerprinting operating systems we will see something a bit different that we should be aware of. Since the machines we try to fingerprint are hosts available on the Internet they might communicate with other hosts on the Internet while we query them. Therefore the gap we will have from one IP ID to the next might be higher than 256 (in the older MS based OSs case). With the older implementations of Microsoft based operating systems identifying these OSs is quite simple. We will extract the first IP ID from the second IP ID and divide the result with 256. The result should be a complete number. With the operating systems that use a gap of 1 between one IP ID field number to the next, we might have a gap a bit higher than 1, usually between 2-8 (but it can be more than that as well). In the next example a Microsoft ME based machine sent two ICMP Echo requests targeting a LINUX based on kernel 2.2.14 machine. The gap between the first IP ID field value to the next is 5 with the LINUX machine: 08/10-16:49:45.633417 10.0.0.117 -> 10.0.0.105 ICMP TTL:32 TOS:0x0 ID:134 ID:768 Seq:256 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi 08/10-16:49:45.633465 10.0.0.105 -> 10.0.0.117 ICMP TTL:255 TOS:0x0 ID:810 ID:768 Seq:256 ECHO REPLY 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi 08/10-16:49:46.635971 10.0.0.117 -> 10.0.0.105 ICMP TTL:32 TOS:0x0 ID:135 ID:768 Seq:512 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi 08/10-16:49:46.636018 10.0.0.105 -> 10.0.0.117 ICMP TTL:255 TOS:0x0 ID:815 ID:768 Seq:512 ECHO REPLY 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi [1] RFC 791: Internet Protocol. http://www.ietf.org/rfc/rfc0791.txt Ofir Arkin [ofir@sys-security.com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
This archive was generated by hypermail 2b30 : Mon May 07 2001 - 12:05:42 PDT