OS detection with ICMP.
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: OS detection with ICMP.

  1. #1
    Senior Member
    Join Date
    Jun 2004
    Posts
    112

    OS detection with ICMP.

    One of the most important steps in attacking a target is finding out the OS that it is running. This can be done a few different ways, but in this post I am going to give a little bit of an overview of using the ICMP protocol in OS detection and point you to some resources if you wish to learn more.

    You may not know this, but in some cases finding out wheter the machiine is *nix based or Windows is as simple as pinging the target and looking at the TTL value that was returned. Most *nix based systems will return 255 in the TTL value in an ICMP echo reply, Windows will return 128 (with the exception of Win 95 which returns 32), and last but not least Linux which returns a TTL value of 64 (thanks chsh). I know that these values may not be true in all cases, but hey, what can I say, this method is just used for a rough idea. Antother way that can be used is to send an ICMP echo request to the target with the code value set at anything other than 0. When the reply is recieved if the code value is != 0 then the machine is *nix based and if the value is 0 then the Machine is Windows based.

    To delve a little bit deeper we begin by sending some ICMP packets from our favorite packet crafter to the target, and then compare the results to know OS behaviors.

    An Example:

    Say that you recieved a TTL value of 255 when you pinged the target. We know that this is a pretty good indicator that the target is *nix based. Now if we were to send a fragmented ICMP address mask request and the reply was to come back with 0.0.0.0 as the mask then we would know that the machine is running either Solaris or HP-UX. Interesting? Yes. Simple? Very.

    Another Example:

    This example will give you an idea of how to pick Windows 2000 and Ultrix. All you have to do is send an ICMP echo request with the precedence bits !=0. If you recieve a reply with the precedence bits equal to 0 then the machine is either running Windows 2000 or Ultrix. Now to distinguish between the two we ping the target and look at the TTL value. 255 = Ultrix and 128 = Win 2k.

    To learn more on this read Ofir Arkin's paper here:
    http://www.sys-security.com/archive/...nning_v3.0.pdf

    ICMPerror messages are also able to be used in the foot printing of an OS. Actually, in some cases the lack of ICMP error messages will be an indicator of a certain group of operating systems (AIX, DG-UX, HP-UX).

    To learn more about this read the paper by Fyodor here:
    http://www.insecure.org/nmap/nmap-fi...g-article.html

    If I am wrong please correct me, or if you have something to add please do. Cheers.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Very good. I see that you have looked into this deeper since your original post asking about the technique.

    Have you attempted this on your own yet?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member
    Join Date
    Jun 2004
    Posts
    112
    Yes, I have but only on a very limited amount of systems. I have been at school and checked the TTL on all the diifferent Windows systems and I signed up for a shell acounnt so I cout check *nix. I downloaded hping a few minutes ago and plan on toying with it after I get off of work tonight. Does anyone know if there are some test servers out there that would let me try the techniques (Solaris, OpenVMS, etc)? I am very curious I just don't have any sort of access to these types of sytems and I would like to look at the results. Thx.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I know this doesn't have to do with your method of foot printing... but here is some interesting stuff dealing with the data fields of an ICMP echo

    http://www.antionline.com/showthread...hreadid=258160
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Although indirect, I am happy to run some commands for you against what I have here.

    AIX
    HPUX
    SunOS
    IRIX

    Happy to send you the output.
    Kind of lame but might fill some holes..

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I'm back.... I apologize to those of you that wanted me gone.

    Anyways, I've posted a script I started a few years back... it's actually in the similar threads listing below.. http://www.antionline.com/showthread...hreadid=255887. It used to be fairly handy, now other programs do it for you and much more accurately... I could continue development if people want to submit me Various ICMP results (TTL, Timestamp, Mask, etc) for different operating systems and then post the script when it is finished. It requires ping and sing, but I'm sure I could modify it to use something more common (possibly hping2). Anyways I've attached the script again here just for simplicity..

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    You can also detect operating systems based on their responses to broadcast traffic. Windows hosts ignore broadcast pings, unixes do not.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Senior Member
    Join Date
    Jun 2004
    Posts
    112
    I read about that in Ofir Arkin's paper chsh. I was wondering though, how you would do that if you wre not on the local network? This is probably a stupid question I know, but I am curious. Thanks for the help.

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Ping the broadcast address for the given network. Every network range has a network address, and a broadcast address (at opposite ends of the range). For 192.168.0.x/24, 192.168.0.0 is the network address, and 192.168.0.255 is the broadcast address. It works with remote networks, provided your ISP and intervening routers will forward broadcast packets (pings and such). You also have to know what a public network's range is, they're rarely entire /24 or /16, so it takes some math and looking at their hosts to figure it out, but if you look at a network with 6 real hosts starting at say 100.100.100.51, the lowest host number - 1 (.50) will be the network address, the highest + 1 (.57) will be the broadcast address (assuming they don't have unused hosts).
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  10. #10
    Senior Member
    Join Date
    Jun 2004
    Posts
    112
    Thank you very much chsh. It feels good to be learning again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •