FW: Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP Timestamp Requests

["Ofir Arkin" <ofir () itcon-ltd com>]

-----Original Message-----
From: Ofir Arkin [mailto:ofir () itcon-ltd com]
Sent: Saturday, August 05, 2000 2:57 PM
To: bugtraq () securityfocus com
Subject: Identifying Windows 98/98SE/ME/2000 Using Wrong Codes with ICMP
Timestamp Requests


Subject:
Identifying Microsoft Windows 98/98 SE/ME/2000 Using Wrong Codes with ICMP
Timestamp Requests

Author:
Ofir Arkin [ofir () itcon-ltd com]

Description:
I have decided to map which operating systems would answer to an ICMP
Timestamp Request that would have its code field not set to zero.

Interesting results were produced. The Microsoft Windows 98/98 SE/ME, and
the Microsoft Windows 2000 Professional/Server that
 have answered to ICMP Timestamp requests with the code filed set to zero,
now did not produce any reply back.

Using this information it is quite easy to group together certain Microsoft
Windows operating systems using two datagrams of
ICMP Timestamp request. The first one is a regular one; the Microsoft
Windows machines that do not answer are Microsoft
 Windows 95 and Microsoft Windows NT 4.0 Workstation with SP 6a (and below).
All other operating systems (that I have
 checked) answered the ICMP Time stamp request (UNIX and UNIX-like). The
second stage is sending another datagram, this time
 with the Code field set to a value, which is not equal to zero. The
operating systems that would not answer would include
 Windows 98/98 SE/ME/2000 Professional/ 2000 Server, which are the newer
versions of Microsoft Windows operating systems.
 Other operating systems would still respond with a correct answer to the
query.

It is quite obvious that Microsoft have tried to change some of their newer
operating systems fingerprinting in later TCP/IP
 implementations of their operating systems. For example, the default for
answering an ICMP Timestamp request was changed
 from "no answer" to "answer", like UNIX and UNIX-like operating systems.
But the Microsoft programmers / designers /
 architects / security engineers did not think about every thing apparently.

Operating Systems checked:
LINUX Kernel 2.4t2; LINUX Kernel 2.2.14; FreeBSD 4.0, 3.4; OpenBSD 2.7 &
2.6; Solaris 2.5.1, 2.6, 2.7 & 2.8; HP-UX 10.20; AIX
4.1; ULTRIX; Microsoft Windows 95 / 98 / 98SE / ME / NT 4 SP3, SP4, SP6a
WRST & SERVER / 2000 Professional & Server.


Ofir Arkin
Senior Security Consultant
ITcon, Israel.

Personal Web page:
http://www.sys-security.com


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).