COMMAND

    kernel

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Ofir Arkin found following.  The IP TTL field value with ICMP  has
    two separate values, one for ICMP query messages and one for  ICMP
    query  replies.   The  TTL  field  value  help us identify certain
    operating  systems  and  groups  of  operating  systems.   It also
    provide us with the simplest  means to add another check  criteria
    when  we  are  quering  other  host(s)  or  listening  to  traffic
    (sniffing).

    A. IP TTL Field Value with ICMP Echo Replies
    ============================================
    If we would look at the ICMP Query Replies IP TTL field value than
    we see some patterns:

        - UNIX and UNIX-like operating systems use 255 as their IP TTL
          field  value  with  ICMP  query  replies, however some Linux
          boxes do not follow that behaviour
        - RedHat  5.0 (kernel  2.0.32) :  the IP  TTL field  with ICMP
          Echo_reply message is : 64
        - RedHat  5.2 (kernel  2.0.36) :  the IP  TTL field  with ICMP
          Echo_reply message is : 64
        - RedHat 6.1 (kernel 2.2.12-20)  : the IP TTL field  with ICMP
          Echo_reply message is : 255
        - Mandrake 7.0 (kernel 2.2.14-15) : the IP TTL field with ICMP
          Echo_reply message is : 255
        - Compaq Tru64 5.0  is the exception, using  64 as its IP  TTL
          field value with ICMP query replies.
        - Microsoft  Windows operating  system machines  are using the
          value of 128.
        - Microsoft Windows 95 is the only Microsoft operating  system
          to use 32 as its IP TTL field value with ICMP query messages

    In case of Win95, this could be changed in REGISTRY:

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
        "DefaultTTL"=dword:000000ff

    With the  ICMP query  replies we  have two  operating systems that
    are clearly distinguished from the  other - Windows 95 and  Compaq
    Tru64 5.0. Other operating systems are grouped into the 255  group
    (UNIX and UNIX-like) and  into the 128 group  (Microsoft operating
    systems).

    Operating Systems  tested:   LINUX Kernel  2.2.x, Kernel  2.4t1-6;
    FreeBSD 4.1,4.0,3.4;  OpenBSD 2.7,2.6;  NetBSD 1.4.2;  Sun Solaris
    2.5.1,2.6,2.7,2.8; HP-UX 10.20, 11.0;  AIX 4.1, 3.2; Compaq  Tru64
    5.0;  Irix  6.5.3,6.5.8;  BSDI  BSD/OS  4.0,3.1;  Ultrix  4.2-4.5;
    OpenVMS  7.1-2;  Windows  95/98/98SE/ME;  Windows NT 4 Workstation
    SP3, SP4, SP6a; Windows NT 4 Server SP4; Windows 2000 Pro, Server,
    Advanced Server.

    B. IP TTL Field Value with ICMP Echo Requests
    =============================================
    One would expect that both IP TTL field values would be the  same.
    This is not true in the case of some operating systems.

        - LINUX  Kernel 2.2.x  & 2.4.x  use 64  as their  IP TTL Field
          Value with ICMP Echo Requests.
        - FreeBSD  4.1, 4.0,  3.4; Sun  Solaris 2.5.1,  2.6, 2.7, 2.8;
          OpenBSD 2.6, 2.7,  NetBSD and HP  UX 10.20 are  using 255 as
          their IP TTL field value with ICMP Echo requests.  With  the
          OSs listed above the same  IP TTL Field value with  any ICMP
          message is given.
        - Windows 95/98/98SE/ME/NT4  WRKS SP3,SP4,SP6a/NT4 Server  SP4
          are all using 32 as their IP TTL field value with ICMP  Echo
          requests.
        - Microsoft  windows 2000  is using  128 as  its IP  TTL Field
          Value with ICMP Echo requests.

    We  can  distinguish  between  LINUX,  Microsoft Windows 2000, The
    Other Microsoft OSs (32 group), and the 255 group.

    What if we do not get a match?  Than we know that some one changed
    the default TTL field value in his machine.  Please note that some
    networking devices  might have  values similar  to those presented
    here.

    Some  might  say,  that  setting  the  default TTL value with ICMP
    could be altered.  True. Just do it!

SOLUTION

    Windows NT  uses 128  as the  default.   This can  (and should) be
    changed with following Registry key entry:

        HKEY_LOCAL_MACHINE\System
	        \CurrentControlSet
		        \Services
			        \Tcpip
				        \Parameters
        DefaultTTL     REG_DWORD     1–255 seconds

    Default:	Windows NT 4.0	128
    Windows NT 3.51 and earlier	32

    Specifies the default Time To  Live (TTL) value set in  the header
    of outgoing IP packets.  The TTL determines the maximum amount  of
    time an  IP packet  can live  on the  network without reaching its
    destination.   It limits  the number  of routers  an IP packet can
    pass through before being discarded.  Windows NT does not add this
    value to the Registry.  You can add it by editing the Registry  or
    by using a program that edits the Registry.

    There are  many more  important and  interesting IP  settings. For
    more information,  consult the  file REGENTRY.HLP  that comes with
    the Windows NT Resource Kit.