A fingerprinting threat has been reported in some versions of the 2.4 Linux kernel IP stack implementation. UDP packets are transmitted with a constant IP Identification field of 0.


An attacker may be able to exploit this weakness to discover the operating system and approximate kernel version of the vulnerable system. The ability to fingerprint operating systems based on minor differences in network implementations is well known, and not limited to Linux based systems.

Remote: Yes

Exploit: No

Source: http://www.xatrix.org/modules.php?op=modload&name=News&file=article&sid=1281&mode=thread&order=1

I have seen this someplace else, but I can't remember where.

Heres the thing though. Almost any system will be fingerprinted. There is always slight differences. So whats the big deal? If you take care of the security on your site, You should be able to give out the os, evey daemnon running, and every possible login, and not have anything to worry about. (If you maintain a good password policy that is).

I have been having real problems with xantix.org lately. I have seen them post hoaxes as fact. Now they make a fingerprint look like a vulnerablity. Its just kinda stupid if you ask me.

souleman is correct - if your box is secure, then you shouldn't need to worry if they know you have a linux box.

In addition to his post, I heard a very good explanation of why they _intentionally_ coded it this way. The simplest way to create a packet is to simply set aside a section of memory for the packet and start filling in the necessary fields. For something like a UDP packet, there are some spaces in the packet that just aren't normally used. So if the field is left alne, is simply contains some data from whatever was stored in that section of memory previously. So instead of leaving those sections alone, they intentionally zeroed out the unused fields (such as the IP identification field) so that when the packet gets sent out, it doesn't give out any information that may have been laying around in memory.

Heres the thing though. Almost any system will be fingerprinted. There is always slight differences. So whats the big deal? If you take care of the security on your site, You should be able to give out the os, evey daemnon running, and every possible login, and not have anything to worry about.

Very true but what about poor IIS users. Advertising the fact that you are running MS IIS is like waving a white flag and screaming "Please hack me, I don't care!" ;).

You're absolutely correct smirc. Sometimes I forget that there are still people out there using IIS. My instinct of course is to question their sanity, but then I have to remind myself that a lot of times upper management tells them they have to use M$ products and they just have to obey.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=222635#post480321) by s0nIc
A fingerprinting threat has been reported in some versions of the 2.4 Linux kernel IP stack implementation. UDP packets are transmitted with a constant IP Identification field of 0.


An attacker may be able to exploit this weakness to discover the operating system and approximate kernel version of the vulnerable system. The ability to fingerprint operating systems based on minor differences in network implementations is well known, and not limited to Linux based systems.

Remote: Yes

Exploit: No

Source: http://www.xatrix.org/modules.php?op=modload&name=News&file=article&sid=1281&mode=thread&order=1

Actually, this isn't really a 'vulnerability' per se, Fyodor (of NMAP fame) had some very interesting comments on the discussion via bugtraq:

On Tue, Mar 19, 2002, Ofir Arkin (ofir@stake.com) wrote:
>
> Linux Kernel 2.4.x has a bug with the UDP implementation which allows
> both active and passive fingerprinting of Linux machines based on the
> 2.4.x Kernel.

Actually, as Crist Clark noted, this is a feature with both security
and efficiency benefits. It also isn't specific to UDP -- you'll find
similar TCP behavior. Nor is it exclusive to Linux 2.4 kernels --
Some (all?) Cisco IOS 12.0 - 12.3 devices and various Linksys
broadband routers do this.

I agree that that this is useful for remote OS detection. In fact,
the Nmap Security Scanner has been using this OS detection technique
for more than a year (since 2.54BETA20). You can grab a copy at
http://www.insecure.org/nmap/ .

> 03/16-11:49:41.531642 192.168.1.200:1024 -> x.x.x.x:53 UDP TTL:64
> TOS:0x0 ID:0 IpLen:20 DgmLen:63 DF
> Len: 43
> BC 0D 01 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www
> 03 63 6E 6E 03 63 6F 6D 05 6C 6F 63 61 6C 00 00 .cnn.com.local..
> 01 00 01 ...
>
> The IP Identification field value with the UDP datagram is zero (0). The
> value will be constant and will not be changed for future UDP datagrams
> I will be sending.

Last year I added a feature to Nmap which automates this IPID
classification. Give the Nmap arguments "-v -O" against the host
above and it should say "IPID Sequence Generation: All zeros". Other
IPID classes Nmap understands include "incremental" (most machines),
"duplicated IPID" (mostly stupid devices like printers), "Broken
little-endian incremental" (Windows), "Randomized" (OpenBSD), and
"Random positive increments". The XML output will provide the actual
ID numbers in case you want to do your own analysis.

A more recent IPID-related Nmap feature is the Idlescan (-sI). This
clever method (discovered by Antirez) allows for a truly blind TCP
port scan -- no packets are sent to the target from your real IP
address. Instead, a unique side-channel attack exploits predictable
IPID sequences on a chosen "zombie" host to glean information about
open ports on the target network. IDS systems will report the scan as
coming from the zombie. Besides being extraordinarily stealthy (due
to its blind nature), this scan type permits mapping out IP-based
trust relationships between machines.

Please excuse my blatant Nmap promoting, but IPID analysis is one of
my favorite reconnaissance techniques. The methods are subtle, but
can provide a wealth of information to potential attackers.
Fortunately, recent versions of Linux, Solaris, and OpenBSD (among
others) address most of the issues. Lets hope that other vendors
follow their lead.

Cheers,
Fyodor