Bugtraq mailing list archives

A few more fingerprinting techniques - time and netmask

From: danderse () CS UTAH EDU (David G. Andersen)
Date: Mon, 28 Dec 1998 16:16:40 -0700


The release of nmap reminded me about some work I did a while ago for
yet-more-information-gathering-programs, and I thought it might be
interesting from the perspective of fingerprinting.  Various systems
handle ICMP queries in improper ways for time and netmask requests.
I discussed some of these in a bulletin I didn't bother publically
announcing (http://www.angio.net/consult/secadv/AA-1997-09-02.address-mask)
and they're somewhat relevant here.

(They're also kind of fun for figuring out if places are firewalled,
if links are point to point, if they run time synchronization, etc.)

System          ICMP Time       ICMP Mask

Windows         no              yes
FreeBSD         yes             no
Linux 1.x       yes             yes
Linux 2.x       yes             no
SunOS           yes             yes
Solaris         yes             yes
HPUX            yes             yes
Older IRIX      yes             yes
Newer IRIX      yes             no
MacOS - MacTCP  ?               no
MacOS - TCP/IP  ?               yes?
Apple Internet Server           yes

On some operating systems, these aren't the best ways for
fingerprinting, because they are configurable - FreeBSD and Solaris
allow you to control the behavior, for instance, and I'm sure other
systems may as well.

I asked CERT to send some of the information on to vendors last year
(since responding to ICMP Mask requests when you're not a router is a
violation of the host requirements RFC), but it's not really a high
priority issue. ;-)

Demonstration programs for these (I've only tested them on FreeBSD)
can be found at:

http://www.angio.net/security/icmptime.c
http://www.angio.net/security/icmpmask.c

Sample output:

torrey# ./icmptime www.yahoo.com www.freebsd.org www.netbsd.org www.openbsd.org
www.yahoo.com:  Mon Dec 28 16:13:06 1998
www.freebsd.org:  Mon Dec 28 16:13:14 1998
www.netbsd.org:  Mon Dec 28 16:13:05 1998
www.openbsd.org:  Mon Dec 28 16:13:10 1998

(real time was 16:13:06)

torrey# ./icmpmask www.cisco.com www.bay.com www.nytimes.com
www.cisco.com:  0xFFFFFFE0
www.bay.com:  0xFFFFFFE0
www.nytimes.com:  0xFFFFFF00

  -Dave

--
work: danderse () cs utah edu                     me:  angio () pobox com
      University of Utah                            http://www.angio.net/
      Computer Science - Flux Research Group

Current thread:

New perl module Net::RawIP, (continued)
- - - New perl module Net::RawIP Sergey V. Kolychev (Dec 22)
    - Update on Cisco IOS 12.0 security bug John Bashinski (Dec 22)
    - Re: New perl module Net::RawIP route () RESENTMENT INFONEXUS COM (Dec 22)
    - [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS Richard Reiner (Dec 23)
    - Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) Anonymous (Dec 23)
    - Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 24)
    - Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Dima Volodin (Dec 25)
    - Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Lamont Granquist (Dec 28)
    - Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Igor Schein (Dec 28)
    - Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 28)
    - A few more fingerprinting techniques - time and netmask David G. Andersen (Dec 28)
    - Microsoft Security Bulletin (MS98-020) aleph1 () UNDERGROUND ORG (Dec 23)
    - Security Flaw in Cookies Implementation Oliver Lineham (Dec 23)
    - Re: Why you should avoid world-writable directories Gonzo Granzeau (Dec 22)
    - Re: Why you should avoid world-writable directories Kragen Sitaker (Dec 22)
  - CERT Advisory CA-98.13 - TCP/IP Denial of Service aleph1 () UNDERGROUND ORG (Dec 21)
- Re: Verifying file data integrity using L6 der Mouse (Dec 22)
- Re: Verifying file data integrity using L6 Jim Dennis (Dec 24)