OS detection with ICMP.

**hobbdebub** · August 18th, 2004, 08:33 PM

One of the most important steps in attacking a target is finding out the OS that it is running. This can be done a few different ways, but in this post I am going to give a little bit of an overview of using the ICMP protocol in OS detection and point you to some resources if you wish to learn more.

You may not know this, but in some cases finding out wheter the machiine is *nix based or Windows is as simple as pinging the target and looking at the TTL value that was returned. Most *nix based systems will return 255 in the TTL value in an ICMP echo reply, Windows will return 128 (with the exception of Win 95 which returns 32), and last but not least Linux which returns a TTL value of 64 (thanks chsh). I know that these values may not be true in all cases, but hey, what can I say, this method is just used for a rough idea. Antother way that can be used is to send an ICMP echo request to the target with the code value set at anything other than 0. When the reply is recieved if the code value is != 0 then the machine is *nix based and if the value is 0 then the Machine is Windows based.

To delve a little bit deeper we begin by sending some ICMP packets from our favorite packet crafter to the target, and then compare the results to know OS behaviors.

An Example:

Say that you recieved a TTL value of 255 when you pinged the target. We know that this is a pretty good indicator that the target is *nix based. Now if we were to send a fragmented ICMP address mask request and the reply was to come back with 0.0.0.0 as the mask then we would know that the machine is running either Solaris or HP-UX. Interesting? Yes. Simple? Very.

Another Example:

This example will give you an idea of how to pick Windows 2000 and Ultrix. All you have to do is send an ICMP echo request with the precedence bits !=0. If you recieve a reply with the precedence bits equal to 0 then the machine is either running Windows 2000 or Ultrix. Now to distinguish between the two we ping the target and look at the TTL value. 255 = Ultrix and 128 = Win 2k.

To learn more on this read Ofir Arkin's paper here:
http://www.sys-security.com/archive/...nning_v3.0.pdf

ICMPerror messages are also able to be used in the foot printing of an OS. Actually, in some cases the lack of ICMP error messages will be an indicator of a certain group of operating systems (AIX, DG-UX, HP-UX).

To learn more about this read the paper by Fyodor here:
http://www.insecure.org/nmap/nmap-fi...g-article.html

If I am wrong please correct me, or if you have something to add please do. Cheers.

***thehorse13*** · August 18th, 2004, 09:31 PM

Very good. I see that you have looked into this deeper since your original post asking about the technique.

Have you attempted this on your own yet?

**hobbdebub** · August 18th, 2004, 09:49 PM

Yes, I have but only on a very limited amount of systems. I have been at school and checked the TTL on all the diifferent Windows systems and I signed up for a shell acounnt so I cout check *nix. I downloaded hping a few minutes ago and plan on toying with it after I get off of work tonight. Does anyone know if there are some test servers out there that would let me try the techniques (Solaris, OpenVMS, etc)? I am very curious I just don't have any sort of access to these types of sytems and I would like to look at the results. Thx.

***phishphreek*** · August 18th, 2004, 10:15 PM

I know this doesn't have to do with your method of foot printing... but here is some interesting stuff dealing with the data fields of an ICMP echo

http://www.antionline.com/showthread...hreadid=258160

**ss2chef** · August 18th, 2004, 10:17 PM

Although indirect, I am happy to run some commands for you against what I have here.

AIX
HPUX
SunOS
IRIX

Happy to send you the output.
Kind of lame but might fill some holes..

***HTRegz*** · August 18th, 2004, 10:36 PM

Hey Hey,

I'm back.... I apologize to those of you that wanted me gone.

Anyways, I've posted a script I started a few years back... it's actually in the similar threads listing below.. http://www.antionline.com/showthread...hreadid=255887. It used to be fairly handy, now other programs do it for you and much more accurately... I could continue development if people want to submit me Various ICMP results (TTL, Timestamp, Mask, etc) for different operating systems and then post the script when it is finished. It requires ping and sing, but I'm sure I could modify it to use something more common (possibly hping2). Anyways I've attached the script again here just for simplicity..

Peace,
HT

***chsh*** · August 19th, 2004, 04:56 AM

You can also detect operating systems based on their responses to broadcast traffic. Windows hosts ignore broadcast pings, unixes do not.

**hobbdebub** · August 19th, 2004, 08:16 PM

I read about that in Ofir Arkin's paper chsh. I was wondering though, how you would do that if you wre not on the local network? This is probably a stupid question I know, but I am curious. Thanks for the help.

***chsh*** · August 19th, 2004, 10:28 PM

Ping the broadcast address for the given network. Every network range has a network address, and a broadcast address (at opposite ends of the range). For 192.168.0.x/24, 192.168.0.0 is the network address, and 192.168.0.255 is the broadcast address. It works with remote networks, provided your ISP and intervening routers will forward broadcast packets (pings and such). You also have to know what a public network's range is, they're rarely entire /24 or /16, so it takes some math and looking at their hosts to figure it out, but if you look at a network with 6 real hosts starting at say 100.100.100.51, the lowest host number - 1 (.50) will be the network address, the highest + 1 (.57) will be the broadcast address (assuming they don't have unused hosts).

**hobbdebub** · August 20th, 2004, 03:20 AM

Thank you very much chsh. It feels good to be learning again.

Thread: OS detection with ICMP.

Thread Tools

Display

OS detection with ICMP.

Posting Permissions