Using the Unused (Identifying OpenBSD, Sun Solaris & HPUX 11.0 OSs)

[Ofir Arkin <ofir () ITCON-LTD COM>]

RFC 791 defines a three bits field used for various control flags in the IP
Header. Bit 0 of this bits field is the reserved flag, and must be zero
according to the RFC.

What will happen if we will decide to break this definition and send our
ICMP Query requests with this bit set (having the value of one)?

Sun Solaris, OpenBSD and HPUX 11.0 will echo back the reserved bit.

This is a tcpdump trace describing an ICMP Echo request sent with the
reserved Bit set, and the ICMP Echo reply we received echoing the reserved
bit. This trace was produced against an HPUX 11.0 machine.

21:31:21.033366 if 4  > 195.72.167.186 > x.x.x.x: icmp: echo request (ttl
255, id 13170)
                         4500 0024 3372 8000 ff01 fc8c c348 a7ba
                         xxxx xxxx 0800 8b1b 8603 0000 f924 bd39
                         3082 0000
21:31:21.317916 if 4  < x.x.x.x > 195.72.167.186: icmp: echo reply (ttl 236,
id 25606)
                         4500 0024 6406 8000 ec01 def8 xxxx xxxx
                         c348 a7ba 0000 931b 8603 0000 f924 bd39
                   3082 0000

The next trace was produced against a Sun Solaris 2.8 machine:

16:51:37.470995 if 4  > 195.72.167.220 > x.x.x.x: icmp: echo request (ttl
255, id 13170)
                         4500 0024 3372 8000 ff01 e0e1 c348 a7dc
                         xxxx xxxx 0800 edae 3004 0000 69e3 bc39
                         ad2f 0700
16:51:37.745254 if 4  < x.x.x.x > 195.72.167.220: icmp: echo reply (DF) (ttl
243, id 5485)
                         4500 0024 156d c000 f301 cae6 xxxx xxxx
                         c348 a7dc 0000 f5ae 3004 0000 69e3 bc39
                   ad2f 0700

If we examine this trace closely we can identify a distinction between Sun
Solaris and HPUX. The DF bit will be set with the Sun Solaris ICMP Query
reply. Since OpenBSD does the same, we can group the Sun Solaris and OpenBSD
operating systems and isolate the HPUX 11.0 machines.

Since all ICMP Query replies on the same operating system use the same
pattern (either echo with all replies or not) we can use another ICMP Query
type for this kind of identification and isolate the Sun Solaris machines
from the OpenBSD machines. If we send an ICMP Address Mask request with the
reserved bit set, the result a Sun Solaris 2.8 machine will produce:

18:39:32.262869 if 4  > 195.72.167.147 > x.x.x.x : icmp: address mask
request (ttl 255, id 13170)
                         4500 0020 3372 8000 ff01 e12e c348 a793
                         xxxx xxxx 1100 a0fb 4e04 0000 0000 0000
18:39:32.561373 if 4  < x.x.x.x > 195.72.167.147: icmp: address mask is
0xffffff00 (DF) (ttl 243, id 51792)
                         4500 0020 ca50 c000 f301 1650 xxxx xxxx
                         c348 a793 1200 a0fa 4e04 0000 ffff ff00

We will have both the reserved and the DF bit set on the ICMP Address Mask
reply, a unique pattern Sun Solaris machines have with ICMP Address Mask
replies.

This operating system fingerprinting method enable us to identify and
distinguish between Sun Solaris, OpenBSD, and HPUX 11.0.

I have asked Alfredo Andres Omella, author of SING, to incorporate the
ability to set the reserved bit with his tool. The latest SING CVS (12
September 2000), which is available from
http://sourceforge.net/projects/sing, introduced the –U option along with
the ability to identify if this bit is set on the reply (if any) we get:

[root@godfather bin]# ./sing -mask -U IP_Address
SINGing to IP_Address (IP_Address): 12 data bytes
12 bytes from IP_Address: icmp_seq=0 RF! DF! ttl=243 TOS=0
mask=255.255.255.012 bytes from IP_Address: icmp_seq=1 RF! DF! ttl=243 TOS=0
mask=255.255.255.012 bytes from IP_Address: icmp_seq=2 RF! DF! ttl=243 TOS=0
mask=255.255.255.012 bytes from IP_Address: icmp_seq=3 RF! DF! ttl=243 TOS=0
mask=255.255.255.012 bytes from IP_Address: icmp_seq=4 RF! DF! ttl=243 TOS=0
mask=255.255.255.0
--- IP_Address sing statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
[root@godfather bin]#


This method was test against: Linux Kernel 2.4 test 2,4,5,6; Linux Kernel
2.2.x; FreeBSD 4.0, 3.4; OpenBSD 2.7,2.6; NetBSD 1.4.1,1.4.2; BSDI BSD/OS
4.0,3.1; Solaris 2.6,2.7,2.8; HP-UX 10.20, 11.0; Compaq Tru64 5.0; Aix
4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix 4.2 – 4.5; OpenVMS v7.1-2; Novel Netware
5.1 SP1, 5.0, 3.12; Microsoft Windows 98/98SE, Microsoft Windows NT WRKS
SP6a, Microsoft Windows NT Server SP4, Microsoft Windows 2000 Family.

Cheers

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."