Nmap Announce mailing list archives
Fixed: ICMP Error Message Quoting Size with Different OSs
From: "Ofir Arkin" <ofir () sys-security com>
Date: Wed, 6 Dec 2000 17:08:47 +0100
This post is a fix to my previous post about ICMP Error Message Quoting Size with different operating systems. ---------------------------------------------------------------------------- - Each ICMP error message includes the Internet Protocol (IP) Header and at least the first 8 data bytes of the datagram that triggered the error (the offending datagram); more than 8 bytes may be sent according to RFC 1122. Most of the operating systems will quote the offending packets IP Header and the first 8 data bytes of the datagram that triggered the error. Several operating systems and networking devices will parse the RFC guidelines a bit different and will echo more than 8 bytes. Which operating systems will quote more? LINUX based on Kernel 2.0.x/2.2.x/2.4.t-x, Sun Solaris, HPUX 11.x, MacOS 7.55/8.x/9.04, Nokia boxes, Foundry Switches (and other OSs and several Networking Devices) are a good example. The fact is not new. Fyodor outlined this in his article "Remote OS Identification by TCP/IP Fingerprinting" (http://www.insecure.org/nmap/nmap-fingerprinting-article.html). The idea is in trying to differentiate between the different operating systems that quote more than the usual. How can this be done? Looking for example on the amount of information quoted. Is there a limit to the quoted size? Will the quoted data be the entire offending packet or just part of it? Will the quoted data be the echoed correctly? Will extra bytes will be padded to the echoed data? and some other parameters. The next example is with Sun Solaris 7. I have sent a UDP datagram to a closed UDP port: 00:13:35.559947 ppp0 > x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 64, id 44551) 4500 001c ae07 0000 4011 7aa4 xxxx xxxx yyyy yyyy 043c 07d0 0008 a1ac 00:13:35.923691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000 unreachable Offending pkt: x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 45, id 44551) (DF) (ttl 236, id 63417) 4500 0038 f7b9 4000 ec01 44e5 yyyy yyyy xxxx xxxx 0303 4f3c 0000 0000 4500 001c ae07 0000 2d11 8da4 xxxx xxxx yyyy yyyy 043c 07d0 0008 a1ac Please note that for having more than 8 data bytes quoted, you need to have data in the offending datagram. If not, there is nothing to quote beyond the regular 8 bytes (usually, if the OS is not padding other data bytes). The next example is with Sun Solaris 8. I have sent a UDP datagram to a closed UDP port, adding 80 bytes of data to the datagram. [root@godfather]# hping2 -2 -d 80 -c 1 y.y.y.y eth0 default routing interface selected (according to /proc) HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 80 data bytes ICMP Port Unreachable from y.y.y.y (y.y.y.y) --- y.y.y.y hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms The tcpdump trace: 11:52:50.830383 eth0 > x.x.x.x.2198 > y.y.y.y.0: udp 80 (ttl 64, id 17240) 4500 006c 4358 0000 4011 99ae xxxx xxxx yyyy yyyy 0896 0000 0058 8b5f 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 11:52:51.367331 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 unreachable Offending pkt: x.x.x.x.2198 > y.y.y.y.0: udp 80 (ttl 48, id 17240) (DF) (ttl 231, id 49576) 4500 0070 c1a8 4000 e701 3469 yyyy yyyy xxxx xxxx 0303 bf05 0000 0000 4500 006c 4358 0000 3011 a9ae xxxx xxxx yyyy yyyy 0896 0000 0058 8b5f 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 The result is an ICMP Port Unreachable Error message that will echo only 64 bytes of the offending datagram’s data portion. The limit of 64 bytes quoted from the offending packet’s data portion is not limited to Sun Solaris only. HPUX 11.x, MacOS 7.55/8.x/9.04, will do the same. Other operating systems / networking devices will have their own barriers. For example, LINUX based on Kernel 2.2.x/2.4.x-t will send and ICMP Error Message up to 576 bytes long. LINUX will quote 528 bytes from the data portion of the offending packet (576 minus 20 bytes of usuall IP Header, minus 8 bytes of the ICMP Header, minus the offending packet’s IP Header that is 20 bytes will leave you with 528 bytes of data portion. This is no IP options are presented). I know an operating system, and a family of networking devices that will pad extra data to the echoed offending packet. See my next posts. This information was posted to bugtraq as well. Ofir Arkin ofir () sys-security com http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA Copyright 2000 Sys-Security.com & Ofir Arkin All rights reserved -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Fixed: ICMP Error Message Quoting Size with Different OSs Ofir Arkin (Dec 07)