Re: IP TTL Field Value with ICMP (Oops - Identifying Windows 2000again and more)

[Nelson Brito <nelson () sekure org>]

Ofir Arkin wrote:
> The IP TTL field value with ICMP has two separate values, one for ICMP query
> messages and one for ICMP query replies.
>
> The TTL field value help us identify certain operating systems and groups of
> operating systems. It also provide us with the simplest means to add another
> check criteria when we are quering other host(s) or listening to traffic
> (sniffing).
>
> A. IP TTL Field Value with ICMP Echo Replies
> If we would look at the ICMP Query Replies IP TTL field value than we see
> some
> patterns:
>
> - UNIX and UNIX-like operating systems use 255 as their IP TTL field value
>   with ICMP query replies.
> - Compaq Tru64 5.0 is the exception, using 64 as its IP TTL field value
>   with ICMP query replies.
> - Microsoft Windows operating system machines are using the value of 128.
> - Microsoft Windows 95 is the only Microsoft operating system to use 32 as
> its
>   IP TTL field value with ICMP query messages.

This could be changed in REGISTRY:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DefaultTTL"=dword:000000ff

Note:
hex(ff) == dec(255)

It's a obscurity way... I know... =)

Sem mais,
-- 
Nelson Brito
open(S, shift || $ENV{'HOME'} . "/.signature") || die "open: $!\n";
foreach(<S>){ chop; split(//, $_); print reverse @_; print "\n"; }
close(S);

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).