Date: Sat, 25 Nov 2000 23:26:58 +0200 From: Ofir Arkin <ofir@ITCON-LTD.COM> Subject: Updated: ICMP Error Message Quoting Size (Identifying Sun To: BUGTRAQ@SECURITYFOCUS.COM Every ICMP error message includes the Internet Protocol (IP) Header and at least the first 8 data bytes of the datagram that triggered the error (the offending datagram); more than 8 bytes may be sent according to RFC 1122. Except for LINUX, Sun Solaris, and HP-UX 11.x based machines all other operating systems will closely follow RFC 1122 guidelines – quoting the IP Header and the first 8 bytes of data of the offending packet. The fact is not new. Fyodor outlined this in his article "Remote OS Identification by TCP/IP Fingerprinting". The differences between LINUX, Sun Solaris, and HP-UX 11.x regarding the extra quoting size issue were not been discussed/discovered (The HP-UX 11.x issue was not discussed at all. I would like to thank Darren Reed for this information). We must understand that there are differences between the different ICMP Error messages, not only with their meaning, but also with their implementation. I was expecting that several characters with the ICMP Error messages will be the same along all of the ICMP Error Messages, but I was wrong regarding few operating systems. If we examine LINUX 2.2.x / 2.4t-x based Kernel, Sun Solaris, and HP-UX 11.x operating systems behavior with ICMP Port Unreachable we will see the same pattern regarding the size of quoted information. All will quote the entire offending packet. The next example is with Sun Solaris 7. I have sent a UDP datagram to a closed UDP port: 00:13:35.559947 ppp0 > x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 64, id 44551) 4500 001c ae07 0000 4011 7aa4 xxxx xxxx yyyy yyyy 043c 07d0 0008 a1ac 00:13:35.923691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000 unreachable Offending pkt: x.x.x.x.1084 > y.y.y.y.2000: udp 0 (ttl 45, id 44551) (DF) (ttl 236, id 63417) 4500 0038 f7b9 4000 ec01 44e5 yyyy yyyy xxxx xxxx 0303 4f3c 0000 0000 4500 001c ae07 0000 2d11 8da4 xxxx xxxx yyyy yyyy 043c 07d0 0008 a1ac The next example is with LINUX based on Kernel 2.2.16 as the targeted machine: 00:21:30.199408 ppp0 > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732) 4500 001c 06c4 0000 4011 c895 xxxx xxxx yyyy yyyy 0812 07d0 0008 4484 00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000 unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id 1732) [tos 0xc0] (ttl 238, id 53804) 45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy xxxx xxxx 0303 a88e 0000 0000 4500 001c 06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy 0812 07d0 0008 4484 The next example is with HP-UX 11.x. I have added 24 bytes to the UDP datagram sent to the closed 53 UDP port. The HP-UX 11.x machine echoed the entire offending datagram: [root@godfather /root]# hping2 -2 -p 53 -d 24 y.y.y.y ppp0 default routing interface selected (according to /proc) HPING y.y.y.y (ppp0 y.y.y.y): udp mode set, 28 headers + 24 data bytes ICMP Port Unreachable from y.y.y.y (unknown host name) ... --- y.y.y.y hping statistic --- 12 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@godfather /root]# The tcpdump trace: 18:35:17.545090 ppp0 > x.x.x.x.1762 > y.y.y.y.domain: 22616 updateDA [b2&3=0x5858] [22616a] [22616q] [22616n] [22616au] (24) (ttl 64, id 55748) 4500 0034 d9c4 0000 4011 6783 xxxx xxxx yyyy yyyy 06e2 0035 0020 9b01 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 18:35:17.857113 ppp0 < 216.169.200.44 > x.x.x.x: icmp: 216.169.200.44 udp port domain unreachable Offending pkt: x.x.x.x.1762 > y.y.y.y.domain: 22616 updateDA [b2&3=0x5858] [22616a] [22616q] [22616n] [22616au] (24) (ttl 51, id 55748) (DF) (ttl 242, id 26777) 4500 0050 6899 4000 f201 e6a1 yyyy yyyy xxxx xxxx 0303 36a0 0000 0000 4500 0034 d9c4 0000 3311 7483 xxxx xxxx yyyy yyyy 06e2 0035 0020 9b01 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 So where are the differences with the offending packet quoted size? (We have other parameters to differentiate between LINUX, Sun Solaris, and HP-UX 11.x like the Precedence Bits value LINUX uses with the ICMP Error Messages). The differences show up with other ICMP Error Messages. Lets look at an ICMP Protocol Unreachable error message LINUX, HP-UX 11.x and Sun Solaris produce for a datagram (or a packet) sent using a protocol field value which does not represent a valid protocol on the targeted machines. The next example is with Sun Solaris 7 (HP-UX 11.x behave the same): 14:18:09.187737 ppp0 > x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 51, id 23541) 4500 0014 5bf5 0000 334a d5ab xxxx xxxx yyyy yyyy 14:18:09.564828 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 74 unreachable Offending pkt: x.x.x.x > y.y.y.y: ip-proto-74 0 (ttl 34, id 23541) (DF) (ttl 238, id 64107) 4500 0030 fa6b 4000 ee01 3c61 yyyy yyyy xxxx xxxx 0302 fcfd 0000 0000 4500 0014 5bf5 0000 224a e6ab xxxx xxxx yyyy yyyy Still, the entire offending packet is being quoted. The next example is with LINUX: 13:14:56.942897 < 127.0.0.1 > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) 4500 0014 92f7 0000 2726 02cb xxxx xxxx yyyy yyyy 13:14:56.942964 > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos 0xc0] (ttl 255, id 1884) 45c0 0044 075c 0000 ff01 b59a yyyy yyyy xxxx xxxx 0302 fb1a 0000 0000 4500 0014 92f7 0000 2726 02cb xxxx xxxx yyyy yyyy 0050 dc84 ae6f 6910 0000 0000 5004 0000 bd89 0000 LINUX adds to the entire offending packet that was quoted, another 20 bytes. This pattern is applicable to ICMP Time Exceeded error messages as well. With this fingerprinting method, even if the Precedence Bits field value of the ICMP Error message LINUX produces will be changed to zero, we will be able to differentiate between LINUX based machines and Sun Solaris & HP-UX 11.x based machines. How can we differentiate between Sun Solaris & HP-UX 11.x? If the PMTU discovery process based on ICMP Echo Requests is enabled (default) on the targeted HP-UX 11.x we will see the targeted HP-UX 11.x machine issuing ICMP Echo Requests with the DF bit set targeting our probing host. We have other means to differentiate between the two operating systems. This technique allows us to identify Sun Solaris, HP-UX 11.x & LINUX based machines even if there is no port open. I would like to thank Darren Reed for providing the HP-UX 11.x information. Ofir Arkin Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Founder http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer."