-
March 18th, 2004, 01:08 PM
#1
Member
TTL Packets
Hi,
Anybody know how to read the TTL packets ??...
We can send TTL packets via tracert command, 'n I've read that the ICMP message that we recieve contains the TTL packet. How can we read the contents of the TTL packet. (via which we can trace to medium accuracy, the target client's running operating system) ..
Is ther any softwared used to view the contents of the TTL packets sent or recieved ???
-
March 18th, 2004, 01:29 PM
#2
Just a quick question...you DO know what TTL is right?
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
March 18th, 2004, 01:45 PM
#3
Member
Sorry
Can anybody explain 2 me more about TTL packets
-
March 18th, 2004, 01:58 PM
#4
TTL is the Time to Live.
If you sent out a packet that got caught in a routing loop, (one router is misconfigured to return packets sent to it from another router), then the packet would forever bounce backwards and forwards between the two routers. The TTL is a "counter". It is set by the OS for every outbound packet. Each router the packet passes through checks the TTL. If it is > 0 then the router decrements the counter by one and sends it off on it's merry way. If it = 0 when received then the router will not forward the packet and will send an ICMP "expired in transit" to the source of the packet.
You can "identify" OS's by the TTL because the differing implementations if the TCP stack set the TTL differently. The Windows stack set the TTL to 64 while *nix stacks set it to 128, (IIRC). But that's about it. It is not a reliable way to determine OS. Better to use NMap with OS detection turned on if you want to be active about determining the remote OS or P0f if you want to be passive about the determination.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 18th, 2004, 02:20 PM
#5
Exactly. TTL isnt A packet, but part of it.
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
March 19th, 2004, 02:46 AM
#6
I agree with Tiger about TTL's not being a very good way to pinpoint a remote OS or any OS for that matter. Mainly because default TTL values on Windows OS's can be easily changed through Regedit with hardly any effort. Although a little tougher on Linux, it's still possible to change the "hardcoded" TTL.
I changed my default TTL and then pinged myself to see if indeed the value was changed and it was showing whatever value I placed in it.
So Mighty, I wouldn't even say you're acheiving medium accuracy as these TTL values you may be seeing are not even remotely indicative of the OS on the computer.
Note: Tiger, I thought the default TTL varied on Windows from 32 (Windows 95, 98, NT 3.51) to 128 (Windows NT 4.0) and that Linux's default TTL was 64. Has it changed?
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
March 19th, 2004, 02:55 AM
#7
Hey Hey,
While the TTL isn't the greatest way to do remote OS detection, it is a quiet way to aggressively scan. p0f is fine, if you want to wait for a connection back to you, however if you want to push forward, then ICMP OS Detection works just fine. TTL is actually the basis of the script I posted in another thread. I've given a brief description of it over there. Feel free to check it out, and put it to use.
http://www.antionline.com/showthread...hreadid=255887
Peace,
HT
-
March 19th, 2004, 02:57 AM
#8
ShagDevil you are right.
Reply from 192.18.0.0: bytes=32 time<1ms TTL=128
Windows ttl is at 128. Linux is based at half of that it which equals 64.
-
March 19th, 2004, 03:13 AM
#9
Banned
Going by what TigerShark suggested with NMap, check this tutorial out.
[shadow]agent.idle[/shadow]
-
March 19th, 2004, 04:54 AM
#10
i agree with HT here. while nmap is the number one scanner most of the time you dont need something like that. i have both ethereal and packetmon on my box. most of the time i dont need all the info ethereal gives me like when i want to know if and to where the new software phones home to. the ttl is fairly reliable. not that many fake it.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|