Bugtraq mailing list archives
A few more fingerprinting techniques - time and netmask
From: danderse () CS UTAH EDU (David G. Andersen)
Date: Mon, 28 Dec 1998 16:16:40 -0700
The release of nmap reminded me about some work I did a while ago for yet-more-information-gathering-programs, and I thought it might be interesting from the perspective of fingerprinting. Various systems handle ICMP queries in improper ways for time and netmask requests. I discussed some of these in a bulletin I didn't bother publically announcing (http://www.angio.net/consult/secadv/AA-1997-09-02.address-mask) and they're somewhat relevant here. (They're also kind of fun for figuring out if places are firewalled, if links are point to point, if they run time synchronization, etc.) System ICMP Time ICMP Mask Windows no yes FreeBSD yes no Linux 1.x yes yes Linux 2.x yes no SunOS yes yes Solaris yes yes HPUX yes yes Older IRIX yes yes Newer IRIX yes no MacOS - MacTCP ? no MacOS - TCP/IP ? yes? Apple Internet Server yes On some operating systems, these aren't the best ways for fingerprinting, because they are configurable - FreeBSD and Solaris allow you to control the behavior, for instance, and I'm sure other systems may as well. I asked CERT to send some of the information on to vendors last year (since responding to ICMP Mask requests when you're not a router is a violation of the host requirements RFC), but it's not really a high priority issue. ;-) Demonstration programs for these (I've only tested them on FreeBSD) can be found at: http://www.angio.net/security/icmptime.c http://www.angio.net/security/icmpmask.c Sample output: torrey# ./icmptime www.yahoo.com www.freebsd.org www.netbsd.org www.openbsd.org www.yahoo.com: Mon Dec 28 16:13:06 1998 www.freebsd.org: Mon Dec 28 16:13:14 1998 www.netbsd.org: Mon Dec 28 16:13:05 1998 www.openbsd.org: Mon Dec 28 16:13:10 1998 (real time was 16:13:06) torrey# ./icmpmask www.cisco.com www.bay.com www.nytimes.com www.cisco.com: 0xFFFFFFE0 www.bay.com: 0xFFFFFFE0 www.nytimes.com: 0xFFFFFF00 -Dave -- work: danderse () cs utah edu me: angio () pobox com University of Utah http://www.angio.net/ Computer Science - Flux Research Group
Current thread:
- New perl module Net::RawIP, (continued)
- New perl module Net::RawIP Sergey V. Kolychev (Dec 22)
- Update on Cisco IOS 12.0 security bug John Bashinski (Dec 22)
- Re: New perl module Net::RawIP route () RESENTMENT INFONEXUS COM (Dec 22)
- [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS Richard Reiner (Dec 23)
- Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) Anonymous (Dec 23)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 24)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Dima Volodin (Dec 25)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Lamont Granquist (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Igor Schein (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 28)
- A few more fingerprinting techniques - time and netmask David G. Andersen (Dec 28)
- Microsoft Security Bulletin (MS98-020) aleph1 () UNDERGROUND ORG (Dec 23)
- Security Flaw in Cookies Implementation Oliver Lineham (Dec 23)
- Re: Why you should avoid world-writable directories Gonzo Granzeau (Dec 22)
- Re: Why you should avoid world-writable directories Kragen Sitaker (Dec 22)