From: Ofir Arkin <bugtraq@sys-security.com>
Date: Sun Apr 6, 2003  11:44:41  PM Asia/Jerusalem
To: bugtraq <bugtraq@securityfocus.com>
Subject: Using ICMP queries to fingerprint some networking equipment

Networking equipment can be identified using a variety of methods. The following are two new, and simple, fingerprinting methods (or observations) tailored towards networking gear.


A. IP ID in ICMP query replies
When a Cisco router (as an example), either using IOS version 11.x or IOS version 12.x, answers an ICMP query of any sort (by default would answer to ICMP echo request, ICMP timestamp request, and for ICMP information request) it would re-use the IP ID of the ICMP query.

The following example is with a Cisco router running IOS version 12.0:

12:47:53.362082 x.x.x.x > y.y.y.y: icmp: echo request (ttl 255, id 13170, len 36)
			 4500 0024 3372 0000 ff01 46ee xxxx xxxx
			 yyyy yyyy 0800 db09 bc0d 0000 792a 353e
			 ad7f 0500
12:47:53.364015 y.y.y.y > x.x.x.x: icmp: echo reply (ttl 255, id 13170, len 36)
			 4500 0024 3372 0000 ff01 46ee yyyy yyyy
			 xxxx xxxx 0000 e309 bc0d 0000 792a 353e
			 ad7f 0500 0000 0000 0000 0000 0000


This behavior was observed with other networking equipment such as backbone ATM routers, Redback equipment, etc.

Please note that other parameters might be reused as well Ð for example, with Cisco IOS 11.x and 12.x they are the TOS value (if no QoS is enforced), the DF bit, the MF bit, etc.


B. IP ID in ICMP error messages
When several networking equipment produces ICMP time-to-live exceeded in transit error messages (and other ICMP error messages) the error messages will reuse the IP ID of the packet that triggered the error message. For example:

04/05-12:39:11.699567 x.x.x.x:33900 -> y.y.y.y:33438
UDP TTL:2 TOS:0x0 ID:4310 IpLen:20 DgmLen:40
Len: 12
04 02 00 00 5F C0 8E 3E A5 AC 0A 00              ...._..>....

04/05-12:39:11.708903 y.y.y.y -> x.x.x.x
ICMP TTL:63 TOS:0x0 ID:4310 IpLen:20 DgmLen:56
Type:11  Code:0  TTL EXCEEDED IN TRANSIT
00 00 00 00 45 00 00 28 10 D6 00 00 00 11 49 2B  ....E..(......I+
C0 A8 00 05 D8 E6 C7 30 84 6C 82 9E 00 14 00 00  .......0.l......


Example: Redback, ATM routers

Please note that other parameters might be reused as well.


xprobe2 0.1 release has the ability to check for these fingerprinting issues with the IP ID = SENT parameter. You can download xprobe2 0.1 release from [1].


Yours
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


[1] http://www.sys-security.com/archive/tools/xprobe2/xprobe2-0.1.tar.gz