COMMAND
kernel
SYSTEMS AFFECTED
Sun Solaris & HpUX 11.0
PROBLEM
Ofir Arkin found following. RFC 791 defines a three bits field
used for various control flags in the IP Header. Bit 0 of this
bits field is the reserved flag, and must be zero according to
the RFC.
What will happen if we will decide to break this definition and
send our ICMP Query requests with this bit set (having the value
of one)?
Sun Solaris & HPUX 11.0 will echo back the reserved bit.
This is a tcpdump trace describing an ICMP Echo request sent with
the reserved Bit set, and the ICMP Echo reply we received echoing
the reserved bit. This trace was produced against an HPUX 11.0
machine.
21:31:21.033366 if 4 > 195.72.167.186 > x.x.x.x: icmp: echo request (ttl 255, id 13170)
4500 0024 3372 8000 ff01 fc8c c348 a7ba
xxxx xxxx 0800 8b1b 8603 0000 f924 bd39
3082 0000
21:31:21.317916 if 4 < x.x.x.x > 195.72.167.186: icmp: echo reply (ttl 236, id 25606)
4500 0024 6406 8000 ec01 def8 xxxx xxxx
c348 a7ba 0000 931b 8603 0000 f924 bd39
3082 0000
The next trace was produced against a Sun Solaris 2.8 machine:
16:51:37.470995 if 4 > 195.72.167.220 > x.x.x.x: icmp: echo request (ttl 255, id 13170)
4500 0024 3372 8000 ff01 e0e1 c348 a7dc
xxxx xxxx 0800 edae 3004 0000 69e3 bc39
ad2f 0700
16:51:37.745254 if 4 < x.x.x.x > 195.72.167.220: icmp: echo reply (DF) (ttl 243, id 5485)
4500 0024 156d c000 f301 cae6 xxxx xxxx
c348 a7dc 0000 f5ae 3004 0000 69e3 bc39
ad2f 0700
If we examine this trace closely we can identify a distinction
between Sun Solaris machines and HPUX machines. The DF bit will
be set with the Sun Solaris ICMP Query replies and not with the
HPUX 11.0 machines replies. We can than distinguish between Sun
Solaris and HPUX 11.0 machines.
All ICMP Query replies on the same operating system use the same
pattern (either echo with all replies or not). This enable us to
use another ICMP Query message type for this fingerprinting
method. If we send an ICMP Address Mask request with the
reserved bit set, the result a Sun Solaris 2.8 machine will
produce:
18:39:32.262869 if 4 > 195.72.167.147 > x.x.x.x : icmp: address mask request (ttl 255, id 13170)
4500 0020 3372 8000 ff01 e12e c348 a793
xxxx xxxx 1100 a0fb 4e04 0000 0000 0000
18:39:32.561373 if 4 < x.x.x.x > 195.72.167.147: icmp: address mask is 0xffffff00 (DF) (ttl 243, id 51792)
4500 0020 ca50 c000 f301 1650 xxxx xxxx
c348 a793 1200 a0fa 4e04 0000 ffff ff00
We will have both the reserved and the DF bit set on the ICMP
Address Mask reply, a unique pattern Sun Solaris machines have
with ICMP Address Mask replies.
This operating system fingerprinting method enable us to identify
and distinguish between Sun Solaris, and HPUX 11.0.
The latest SING CVS (12 September 2000), which is available from
http://sourceforge.net/projects/sing introduced the U option along
with the ability to identify if this bit is set on the reply (if
any) we get:
[root@godfather bin]# ./sing -mask -U IP_Address
SINGing to IP_Address (IP_Address): 12 data bytes
12 bytes from IP_Address: icmp_seq=0 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=1 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=2 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=3 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
12 bytes from IP_Address: icmp_seq=4 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
--- IP_Address sing statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
[root@godfather bin]#
This method was test against: Linux Kernel 2.4 test 2,4,5,6; Linux
Kernel 2.2.x; FreeBSD 4.0, 3.4; OpenBSD 2.7,2.6; NetBSD 1.4.1,
1.4.2; BSDI BSD/OS 4.0,3.1; Solaris 2.6,2.7,2.8; HP-UX 10.20,
11.0; Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix 4.2
4.5; OpenVMS v7.1-2; Novel Netware 5.1 SP1, 5.0, 3.12; Microsoft
Windows 98/98SE, Microsoft Windows NT WRKS SP6a, Microsoft Windows
NT Server SP4, Microsoft Windows 2000 Family.
SOLUTION
Nothing yet.