COMMAND

    kernel

SYSTEMS AFFECTED

    Win systems

PROBLEM

    Ofir Arkin found  following.  During  his research on  ICMP he had
    encountered a new OS fingerprinting method.  When a wrong code  is
    sent along  with the  correct type  of ICMP  ECHO Request  message
    Microsoft Windows Boxes would act differently than other operating
    systems would on the ICMP ECHO Reply.

    Ofir queried  his LINUX  box (RH  6.2) with  an ICMP  ECHO Request
    changing the ICMP Code from 0 to 38.

        10:06:02.329509   lo < localhost.localdomain > localhost.localdomain:  icmp: echo request
                                 4500 0020 3372 0000 fe01 0610 c0a8 0105
                                 c0a8 0105 0826 675a 7402 0e20 0186 0cd7
        10:06:02.329639   lo > localhost.localdomain > localhost.localdomain: icmp: echo reply
                                 4500 0020 096d 0000 ff01 2f15 c0a8 0105
               			         c0a8 0105 0026 6f5a 7402 0e20 0186 0cd7

    As you can see from the  tcpdump trace the reply would not  change
    the code to 0, and  leave it the way it  was.  If we examine  what
    RFC 972 requires than LINUX do exactly what it tells.

    The sending side initializes the identifier (used to identify ECHO
    requests aimed at different destination hosts) and sequence number
    (if multiple ECHO requests are sent to the same destination host),
    adds some data  (arbitrary) to the  data field and  sends the ICMP
    ECHO Request to the destination host.  In the ICMP header the code
    equals zero.   The recipient should  only change the  type to ECHO
    Reply and return the datagram to the sender.

    This also means that we trust another machine to behave correctly.
    LINUX changes the type field value to 0 and sends the reply.

    Ofir  has  checked  the  behavior  of  my  Microsoft  Windows 2000
    Professional box. He has sent  the same ICMP ECHO Request  message
    to the Microsoft Windows box:

        10:03:33.860212 eth0 > localhost.localdomain > 192.168.1.1: icmp: echo request
                                 4500 0020 3372 0000 fe01 0614 c0a8 0105
                                 c0a8 0101 0826 d618 6102 f658 0183 c8e2
        10:03:33.860689 eth0 < 192.168.1.1 > localhost.localdomain: icmp: echo reply
                                 4500 0020 2010 0000 8001 9776 c0a8 0101
                                 c0a8 0105 0000 de3e 6102 f658 0183 c8e2
                                 0000 0000 0000 0000 0000 0000 0000

    The Microsoft Windows  2000 Professional operating  system changed
    the code  value on  the ICMP  ECHO Reply  to 0.   Ofir tested this
    method  with  IBM  AIX,  SUN  Solaris  2.6 & 2.7, OpenBSD, NetBSD,
    FreeBSD and they produced the same results as the LINUX box did.

    Microsoft Windows  NT 4.0  Server SP  6a, Microsoft  Windows 98 SE
    produced  the  same  behavior   as  the  Microsoft  Windows   2000
    Professional.

SOLUTION

    We have a new method to differentiate between a Microsoft  Windows
    box to the rest of the world.