OS fingerprinting method to distinguish between Windows boxes and the rest of the world

["Ofir Arkin" <ofir () itcon-ltd com>]

During my research on ICMP I have encountered a new OS fingerprinting
method.

When a wrong code is sent along with the correct type of ICMP ECHO Request
message Microsoft Windows Boxes would
act differently than other operating systems would on the Reply.

I have queried my LINUX box (RH 6.2) with an ICMP ECHO Request changing the
ICMP Code from 0 to 38.

10:06:02.329509   lo < localhost.localdomain > localhost.localdomain: icmp:
echo request
                         4500 0020 3372 0000 fe01 0610 c0a8 0105
                         c0a8 0105 0826 675a 7402 0e20 0186 0cd7
10:06:02.329639   lo > localhost.localdomain > localhost.localdomain: icmp:
echo reply
                         4500 0020 096d 0000 ff01 2f15 c0a8 0105
                                          c0a8 0105 0026 6f5a 7402 0e20 0186 0cd7

As you can see from the tcpdump trace the reply would not change the code to
0, and leave it the way it was.
If we examine what RFC 972 requires than LINUX do exactly what it tells.

The sending side initializes the identifier (used to identify ECHO requests
aimed at different destination hosts)
and sequence number (if multiple ECHO requests are sent to the same
destination host), adds some data (arbitrary)
to the data field and sends the ICMP ECHO Request to the destination host.
In the ICMP header the code equals zero.
The recipient should only change the type to ECHO Reply and return the
datagram to the sender.

This also means that we trust another machine to behave correctly.
LINUX changes the type field value to 0 and sends the reply.

I have checked the behavior of my Microsoft Windows 2000 Professional box. I
have sent the same ICMP ECHO Request
message to the Microsoft Windows box:

10:03:33.860212 eth0 > localhost.localdomain > 192.168.1.1: icmp: echo
request
                         4500 0020 3372 0000 fe01 0614 c0a8 0105
                         c0a8 0101 0826 d618 6102 f658 0183 c8e2
10:03:33.860689 eth0 < 192.168.1.1 > localhost.localdomain: icmp: echo reply
                         4500 0020 2010 0000 8001 9776 c0a8 0101
                         c0a8 0105 0000 de3e 6102 f658 0183 c8e2
                         0000 0000 0000 0000 0000 0000 0000

The Microsoft Windows 2000 Professional operating system changed the code
value on the ICMP ECHO Reply to 0.

I have tested this method with IBM AIX, SUN Solaris 2.6 & 2.7, OpenBSD,
NetBSD, FreeBSD and they produced the same
results as the LINUX box did.

Microsoft Windows NT 4.0 Server SP 6a, Microsoft Windows 98 SE produced the
same behavior as the Microsoft Windows 2000
Professional.

We have a new method to differentiate between a Microsoft Windows box to the
rest of the world.

Best Regards

----------------------------------------------------------------------------
----------------------
Ofir Arkin
Senior Security Consultant
ITCon, Israel                           email  : ofir () itcon-ltd com
----------------------------------------------------------------------------
----------------------