TTL Packets
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: TTL Packets

  1. #1
    Member
    Join Date
    Mar 2004
    Posts
    41

    TTL Packets

    Hi,
    Anybody know how to read the TTL packets ??...
    We can send TTL packets via tracert command, 'n I've read that the ICMP message that we recieve contains the TTL packet. How can we read the contents of the TTL packet. (via which we can trace to medium accuracy, the target client's running operating system) ..
    Is ther any softwared used to view the contents of the TTL packets sent or recieved ???
    - SCORPION

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    Just a quick question...you DO know what TTL is right?
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  3. #3
    Member
    Join Date
    Mar 2004
    Posts
    41
    Sorry
    Can anybody explain 2 me more about TTL packets
    - SCORPION

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    TTL is the Time to Live.

    If you sent out a packet that got caught in a routing loop, (one router is misconfigured to return packets sent to it from another router), then the packet would forever bounce backwards and forwards between the two routers. The TTL is a "counter". It is set by the OS for every outbound packet. Each router the packet passes through checks the TTL. If it is > 0 then the router decrements the counter by one and sends it off on it's merry way. If it = 0 when received then the router will not forward the packet and will send an ICMP "expired in transit" to the source of the packet.

    You can "identify" OS's by the TTL because the differing implementations if the TCP stack set the TTL differently. The Windows stack set the TTL to 64 while *nix stacks set it to 128, (IIRC). But that's about it. It is not a reliable way to determine OS. Better to use NMap with OS detection turned on if you want to be active about determining the remote OS or P0f if you want to be passive about the determination.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    Exactly. TTL isnt A packet, but part of it.
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  6. #6
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    I agree with Tiger about TTL's not being a very good way to pinpoint a remote OS or any OS for that matter. Mainly because default TTL values on Windows OS's can be easily changed through Regedit with hardly any effort. Although a little tougher on Linux, it's still possible to change the "hardcoded" TTL.
    I changed my default TTL and then pinged myself to see if indeed the value was changed and it was showing whatever value I placed in it.
    So Mighty, I wouldn't even say you're acheiving medium accuracy as these TTL values you may be seeing are not even remotely indicative of the OS on the computer.

    Note: Tiger, I thought the default TTL varied on Windows from 32 (Windows 95, 98, NT 3.51) to 128 (Windows NT 4.0) and that Linux's default TTL was 64. Has it changed?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    While the TTL isn't the greatest way to do remote OS detection, it is a quiet way to aggressively scan. p0f is fine, if you want to wait for a connection back to you, however if you want to push forward, then ICMP OS Detection works just fine. TTL is actually the basis of the script I posted in another thread. I've given a brief description of it over there. Feel free to check it out, and put it to use.


    http://www.antionline.com/showthread...hreadid=255887

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    ShagDevil you are right.

    Reply from 192.18.0.0: bytes=32 time<1ms TTL=128

    Windows ttl is at 128. Linux is based at half of that it which equals 64.

  9. #9
    Banned
    Join Date
    Feb 2004
    Posts
    20
    Going by what TigerShark suggested with NMap, check this tutorial out.

    [shadow]agent.idle[/shadow]

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i agree with HT here. while nmap is the number one scanner most of the time you dont need something like that. i have both ethereal and packetmon on my box. most of the time i dont need all the info ethereal gives me like when i want to know if and to where the new software phones home to. the ttl is fairly reliable. not that many fake it.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •