Printable View
Hi,
Anybody know how to read the TTL packets ??...
We can send TTL packets via tracert command, 'n I've read that the ICMP message that we recieve contains the TTL packet. How can we read the contents of the TTL packet. (via which we can trace to medium accuracy, the target client's running operating system) ..
Is ther any softwared used to view the contents of the TTL packets sent or recieved ???
Just a quick question...you DO know what TTL is right?
Sorry :confused:
Can anybody explain 2 me more about TTL packets
TTL is the Time to Live.
If you sent out a packet that got caught in a routing loop, (one router is misconfigured to return packets sent to it from another router), then the packet would forever bounce backwards and forwards between the two routers. The TTL is a "counter". It is set by the OS for every outbound packet. Each router the packet passes through checks the TTL. If it is > 0 then the router decrements the counter by one and sends it off on it's merry way. If it = 0 when received then the router will not forward the packet and will send an ICMP "expired in transit" to the source of the packet.
You can "identify" OS's by the TTL because the differing implementations if the TCP stack set the TTL differently. The Windows stack set the TTL to 64 while *nix stacks set it to 128, (IIRC). But that's about it. It is not a reliable way to determine OS. Better to use NMap with OS detection turned on if you want to be active about determining the remote OS or P0f if you want to be passive about the determination.
Exactly. TTL isnt A packet, but part of it.
I agree with Tiger about TTL's not being a very good way to pinpoint a remote OS or any OS for that matter. Mainly because default TTL values on Windows OS's can be easily changed through Regedit with hardly any effort. Although a little tougher on Linux, it's still possible to change the "hardcoded" TTL.
I changed my default TTL and then pinged myself to see if indeed the value was changed and it was showing whatever value I placed in it.
So Mighty, I wouldn't even say you're acheiving medium accuracy as these TTL values you may be seeing are not even remotely indicative of the OS on the computer.
Note: Tiger, I thought the default TTL varied on Windows from 32 (Windows 95, 98, NT 3.51) to 128 (Windows NT 4.0) and that Linux's default TTL was 64. Has it changed?
Hey Hey,
While the TTL isn't the greatest way to do remote OS detection, it is a quiet way to aggressively scan. p0f is fine, if you want to wait for a connection back to you, however if you want to push forward, then ICMP OS Detection works just fine. TTL is actually the basis of the script I posted in another thread. I've given a brief description of it over there. Feel free to check it out, and put it to use.
http://www.antionline.com/showthread...hreadid=255887
Peace,
HT
ShagDevil you are right.
Reply from 192.18.0.0: bytes=32 time<1ms TTL=128
Windows ttl is at 128. Linux is based at half of that it which equals 64.
Going by what TigerShark suggested with NMap, check this tutorial out.
[shadow]agent.idle[/shadow]
i agree with HT here. while nmap is the number one scanner most of the time you dont need something like that. i have both ethereal and packetmon on my box. most of the time i dont need all the info ethereal gives me like when i want to know if and to where the new software phones home to. the ttl is fairly reliable. not that many fake it.