On Tue, Mar 19, 2002, Ofir Arkin (ofirat_private) wrote: > > Linux Kernel 2.4.x has a bug with the UDP implementation which allows > both active and passive fingerprinting of Linux machines based on the > 2.4.x Kernel. Actually, as Crist Clark noted, this is a feature with both security and efficiency benefits. It also isn't specific to UDP -- you'll find similar TCP behavior. Nor is it exclusive to Linux 2.4 kernels -- Some (all?) Cisco IOS 12.0 - 12.3 devices and various Linksys broadband routers do this. I agree that that this is useful for remote OS detection. In fact, the Nmap Security Scanner has been using this OS detection technique for more than a year (since 2.54BETA20). You can grab a copy at http://www.insecure.org/nmap/ . > 03/16-11:49:41.531642 192.168.1.200:1024 -> x.x.x.x:53 UDP TTL:64 > TOS:0x0 ID:0 IpLen:20 DgmLen:63 DF > Len: 43 > BC 0D 01 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www > 03 63 6E 6E 03 63 6F 6D 05 6C 6F 63 61 6C 00 00 .cnn.com.local.. > 01 00 01 ... > > The IP Identification field value with the UDP datagram is zero (0). The > value will be constant and will not be changed for future UDP datagrams > I will be sending. Last year I added a feature to Nmap which automates this IPID classification. Give the Nmap arguments "-v -O" against the host above and it should say "IPID Sequence Generation: All zeros". Other IPID classes Nmap understands include "incremental" (most machines), "duplicated IPID" (mostly stupid devices like printers), "Broken little-endian incremental" (Windows), "Randomized" (OpenBSD), and "Random positive increments". The XML output will provide the actual ID numbers in case you want to do your own analysis. A more recent IPID-related Nmap feature is the Idlescan (-sI). This clever method (discovered by Antirez) allows for a truly blind TCP port scan -- no packets are sent to the target from your real IP address. Instead, a unique side-channel attack exploits predictable IPID sequences on a chosen "zombie" host to glean information about open ports on the target network. IDS systems will report the scan as coming from the zombie. Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust relationships between machines. Please excuse my blatant Nmap promoting, but IPID analysis is one of my favorite reconnaissance techniques. The methods are subtle, but can provide a wealth of information to potential attackers. Fortunately, recent versions of Linux, Solaris, and OpenBSD (among others) address most of the issues. Lets hope that other vendors follow their lead. Cheers, Fyodor PS: While I'm plugging Nmap, I should mention that 2.54BETA31 was just released. It supports ICMP netmask/timestamp "ping" requests, custom TCP scan flags support, and other new features. http://www.insecure.org/nmap/ .
This archive was generated by hypermail 2b30 : Mon Mar 25 2002 - 15:50:32 PST