On Sat, May 05, 2001 at 11:21:55PM -0700, Ofir Arkin wrote: > RFC 791 gives a description about the IP Identification field. ... > The first ICMP Echo request sent from the Microsoft NT 4 based machine was > sent with IP ID of 28416. The second ICMP Echo request was sent with IP ID > value of 28672. Simple calculation will show a gap of 256 between the IP ID > field values. > > Looking at the replies the LINUX based machine produced, we see a gap of 1 > between one IP ID to the next. This is know since a long time that Microsoft switched (or forgot to) bytes in its IPID, look at the -W option in hping2 <http://www.kyuzz.org/antirez/hping.html> > How Can We Use This? > We can use this information as another parameter for Active OS > fingerprinting and for Passive OS fingerprinting. And a lot of crackers do use it to actively/passively fingerprinting systems. Another important use is to count the number of packets sents by a remote system : send a packet per second and you know how many... This permit a much more important use : to scan remote systems by spoofing its address. Again look at the hping documentation and the bugtraq archive to know how. Now some systems protects against been used to spoof-scan : . OpenBSD and IPFilter(*) : IPID are random . Linux 2.4.x : IPID is null if the packet is small enought to be carried unfragmented in which case the DF (don't fragment) bit is set . others perhaps ? (*) Only IPID generated by IPFilter are random which correspond to reset packets and icmp unreachable messages, other packets are generated by the underlying TCP/IP stack. Regards, Denis Ducamp. -- Denis.Ducampat_private --- Hervé Schauer Consultants --- http://www.hsc.fr/ snort, hping & dsniff en français : http://www.groar.org/~ducamp/#sec-trad Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html Netiquette Guidelines .... http://www.pasteur.fr/infosci/RFC/18xx/1855
This archive was generated by hypermail 2b30 : Fri May 11 2001 - 00:03:50 PDT