OS detection with ICMP.

One of the most important steps in attacking a target is finding out the OS that it is running. This can be done a few different ways, but in this post I am going to give a little bit of an overview of using the ICMP protocol in OS detection and point you to some resources if you wish to learn more.

You may not know this, but in some cases finding out wheter the machiine is *nix based or Windows is as simple as pinging the target and looking at the TTL value that was returned. Most *nix based systems will return 255 in the TTL value in an ICMP echo reply, Windows will return 128 (with the exception of Win 95 which returns 32), and last but not least Linux which returns a TTL value of 64 (thanks chsh). I know that these values may not be true in all cases, but hey, what can I say, this method is just used for a rough idea. Antother way that can be used is to send an ICMP echo request to the target with the code value set at anything other than 0. When the reply is recieved if the code value is != 0 then the machine is *nix based and if the value is 0 then the Machine is Windows based.

To delve a little bit deeper we begin by sending some ICMP packets from our favorite packet crafter to the target, and then compare the results to know OS behaviors.

An Example:

Say that you recieved a TTL value of 255 when you pinged the target. We know that this is a pretty good indicator that the target is *nix based. Now if we were to send a fragmented ICMP address mask request and the reply was to come back with 0.0.0.0 as the mask then we would know that the machine is running either Solaris or HP-UX. Interesting? Yes. Simple? Very.

Another Example:

This example will give you an idea of how to pick Windows 2000 and Ultrix. All you have to do is send an ICMP echo request with the precedence bits !=0. If you recieve a reply with the precedence bits equal to 0 then the machine is either running Windows 2000 or Ultrix. Now to distinguish between the two we ping the target and look at the TTL value. 255 = Ultrix and 128 = Win 2k.

To learn more on this read Ofir Arkin's paper here:
http://www.sys-security.com/archive/...nning_v3.0.pdf

ICMPerror messages are also able to be used in the foot printing of an OS. Actually, in some cases the lack of ICMP error messages will be an indicator of a certain group of operating systems (AIX, DG-UX, HP-UX).

To learn more about this read the paper by Fyodor here:
http://www.insecure.org/nmap/nmap-fi...g-article.html

If I am wrong please correct me, or if you have something to add please do. Cheers.

Very good. I see that you have looked into this deeper since your original post asking about the technique.

Have you attempted this on your own yet?

Yes, I have but only on a very limited amount of systems. I have been at school and checked the TTL on all the diifferent Windows systems and I signed up for a shell acounnt so I cout check *nix. I downloaded hping a few minutes ago and plan on toying with it after I get off of work tonight. Does anyone know if there are some test servers out there that would let me try the techniques (Solaris, OpenVMS, etc)? I am very curious I just don't have any sort of access to these types of sytems and I would like to look at the results. Thx.

I know this doesn't have to do with your method of foot printing... but here is some interesting stuff dealing with the data fields of an ICMP echo

http://www.antionline.com/showthread...hreadid=258160

Although indirect, I am happy to run some commands for you against what I have here.

AIX
HPUX
SunOS
IRIX

Happy to send you the output.
Kind of lame but might fill some holes..:)

Hey Hey,

I'm back.... I apologize to those of you that wanted me gone.

Anyways, I've posted a script I started a few years back... it's actually in the similar threads listing below.. http://www.antionline.com/showthread...hreadid=255887. It used to be fairly handy, now other programs do it for you and much more accurately... I could continue development if people want to submit me Various ICMP results (TTL, Timestamp, Mask, etc) for different operating systems and then post the script when it is finished. It requires ping and sing, but I'm sure I could modify it to use something more common (possibly hping2). Anyways I've attached the script again here just for simplicity..

Peace,
HT

You can also detect operating systems based on their responses to broadcast traffic. Windows hosts ignore broadcast pings, unixes do not.

I read about that in Ofir Arkin's paper chsh. I was wondering though, how you would do that if you wre not on the local network? This is probably a stupid question I know, but I am curious. Thanks for the help.

Ping the broadcast address for the given network. Every network range has a network address, and a broadcast address (at opposite ends of the range). For 192.168.0.x/24, 192.168.0.0 is the network address, and 192.168.0.255 is the broadcast address. It works with remote networks, provided your ISP and intervening routers will forward broadcast packets (pings and such). You also have to know what a public network's range is, they're rarely entire /24 or /16, so it takes some math and looking at their hosts to figure it out, but if you look at a network with 6 real hosts starting at say 100.100.100.51, the lowest host number - 1 (.50) will be the network address, the highest + 1 (.57) will be the broadcast address (assuming they don't have unused hosts).

Thank you very much chsh. It feels good to be learning again. ;)

This may be a stupid question but what does it mean if the TTL is 125?

It means the packet could have gone 125 hops more to get to its destination. :D
Probably that it was set to 128 and the host replying was 3 hops away.

TTL stands for Time To Live ... every Packet that goes out has a life time or TTL value.If the
packet doen't reach the destination in a time less than its TTL value, It becomes invalid (Right ??). When a packet travels from one node to another its called a hop (right ?).

That is right. Ex.) A TTL of 255 means that the packet should time out in something like 4.25 minutes but this is not true. The TTL is decremented everytime it makes a hop, so the 4 minute thing is not neccesarily true in all cases because sometimes it takes less than a second for the packet to be processed and sometimes it may take more time.

Most of the time it is under a second. Traceroute, for example, almost always takes less than a second. You have to be careful when pinging systems. There are ways to detect people pinging your system.

It's not a bad idea to go and pick up Ankit Fadia's Network Security: A Hacker's Perspective. It's a good book and it oulines the ICMP protocol in full very nicely. Detailed, too. But yeah.

I need help with un-XORing binary numbers (is it possible?), if anyone's interested.

You know, it's funny this thread comes up. I've been doing a lot of pinging at work all summer, making sure machines are up and such, and I noticed the difference in TTL fields between Windows and various *nix boxes. Never thought much of it until now.

But here's another thought, kind of along the same lines. Anyone else notice how ping packets sent from different OSes are different sizes?

alpha

Whatever you do, please don't pick up Ankit Fadia's book. If it's anything like the first one, it's just plagarised material taken from freely available internet sources. If you want to learn about the ICMP protocol, here's a list of links that might be useful.

RFC 792 - The definitive guide to ICMP
http://www.networksorcery.com/enp/protocol/icmp.htm
http://cities.lk.net/trproto.html

Cheers,
cgkanchi

You're probably right cgkanchi, but it's a good source nontheless. It has all those things in one place, which is a good reference.

A slowly incrementing TTL value is how traceroute works. It increments the TTL from 1 to the max (default 30 on most systems) until the target host and the destination host are the same. It captures the time it took for its initial packet to return the icmp-ttl-expired which is how it generates the list of intervening hosts and ping times it displays.