COMMAND
kernel
SYSTEMS AFFECTED
Win systems
PROBLEM
Ofir Arkin found following. He has decided to map which
operating systems would answer to an ICMP Timestamp Request that
would have its code field not set to zero. Interesting results
were produced. The Microsoft Windows 98/98 SE/ME, and the
Microsoft Windows 2000 Professional/Server that have answered to
ICMP Timestamp requests with the code filed set to zero, now did
not produce any reply back.
Using this information it is quite easy to group together certain
Microsoft Windows operating systems using two datagrams of ICMP
Timestamp request. The first one is a regular one; the Microsoft
Windows machines that do not answer are Microsoft Windows 95 and
Microsoft Windows NT 4.0 Workstation with SP 6a (and below). All
other operating systems (that author checked) answered the ICMP
Time stamp request (UNIX and UNIX-like). The second stage is
sending another datagram, this time with the Code field set to a
value, which is not equal to zero. The operating systems that
would not answer would include Windows 98/98 SE/ME/2000
Professional/ 2000 Server, which are the newer versions of
Microsoft Windows operating systems. Other operating systems
would still respond with a correct answer to the query.
It is quite obvious that Microsoft have tried to change some of
their newer operating systems fingerprinting in later TCP/IP
implementations of their operating systems. For example, the
default for answering an ICMP Timestamp request was changed from
"no answer" to "answer", like UNIX and UNIX-like operating
systems. But the Microsoft programmers / designers / architects
/ security engineers did not think about every thing apparently.
Operating Systems checked:
LINUX Kernel 2.4t2; LINUX Kernel 2.2.14; FreeBSD 4.0, 3.4;
OpenBSD 2.7 & 2.6; Solaris 2.5.1, 2.6, 2.7 & 2.8; HP-UX 10.20;
AIX 4.1; ULTRIX; Microsoft Windows 95 / 98 / 98SE / ME / NT 4
SP3, SP4, SP6a WRST & SERVER / 2000 Professional & Server.
SOLUTION
Nothing yet.