Thursday, October 22, 2009

One Packet Fingerprint

Interesting concept from Packet Maestro Mike Poor (I'm doing a refresh on the audio from SANS Sec 503 Intrusion Detection In-Depth). Mike notes how an ICMP request packet could differentiate between a Unix/Linux box and Windows box, with one packet. Here's how. ICMP packets use a type and code. For some , like type 3, which is a Destination Unreachable error message, the code is relevant and tells you why it was unreachable (port unreachable, host unreachable, etc.) With echo request and reply packets, the code is irrelevant, and is set to 0. A Windows box will reply to a request by changing the type from 8, request, to 0, reply, but also sets the code to 0. Unix and Linux ignores the code field since it's not used and leaves it's value at what ever the request was set to. So by crafting an echo request packet with the code set to a non-zero value, you can look at the reply and determine the OS. Code reset to 0, Windows. Code set to the original value, Unix/Linux. This of course, assumes the box is one of the two operating systems and the stack hasn't been mucked with to respond differently. Ofir Arkin explains this technique and other ways to use ICMP for recon in the paper found here.

No comments:

Blog Archive