Re: Fun with IP Identification Field Values (Identifying Older MS Based OSs)

From: Aaron Campbell (aaronat_private)
Date: Mon May 07 2001 - 13:01:26 PDT

Next message: ByteRage: "Re: Winamp 2.6x / 2.7x buffer overflow"

Previous message: Shawn Kleinart: "Re: Windows 2000 .printer remote overflow proof of concept exploit...."
In reply to: Ofir Arkin: "Fun with IP Identification Field Values (Identifying Older MS Based OSs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 5 May 2001, Ofir Arkin wrote:

> With the implementation in many operating systems, the Kernel is increasing
> the IP ID field value by 1, from one packet to the next.

There is something much more interesting about non-random incrementing IP
ID numbers: you can use such operating systems to execute spoofed TCP port
scans. I have explained this technique (originally described on Bugtraq
over 2 years ago, see the below URL) to security expert friends of mine
who weren't aware of it at all.

Imagine three hosts:

Host A - Attacker.
Host B - Idle machine, OS that increments IP IDs by fixed amount each pkt.
Host C - Victim.

Suppose Host A would like to know if port 22 is listening on Host C.

Host A communicates initially with Host B to determine Host B's current IP
ID number and takes note of it. Host A sends a TCP SYN packet to port 22
of Host C with the src address field spoofed as Host B. If the port is
open, Host C sends a SYN/ACK packet to Host B in response. If the port is
closed, an RST is sent back instead. In the case of the open port, Host B
would respond to the SYN/ACK with an RST. In the case of the closed port,
Host B would ignore the RST and perform no action.

Once this is done, Host A communicates once again with Host B to determine
the current IP ID and compares it with the saved one from before. If port
22 was open on Host C, Host B responded with an RST, increasing its IP ID
by one. If it was closed, Host B responded with nothing and the IP ID did
not change. Therefore, in the case where "fixed amount" = 1, the IP ID has
increased by 2 if the port was open or 1 if it was closed.

I actually wrote a port scanner a long time ago to implement this method,
which seemed to work on my home network (using a Win95 box as a rogue
host) but I have long since lost the sources.

References:

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D11581

---
Aaron Campbell (aaronat_private || aaronat_private)
http://www.monkey.org/~aaron

Next message: ByteRage: "Re: Winamp 2.6x / 2.7x buffer overflow"
Previous message: Shawn Kleinart: "Re: Windows 2000 .printer remote overflow proof of concept exploit...."
In reply to: Ofir Arkin: "Fun with IP Identification Field Values (Identifying Older MS Based OSs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 11 2001 - 00:43:24 PDT