TUCoPS :: Linux :: General

TUCoPS :: Linux :: General :: krnl2~10.htm
Kernel 2.4.x fingerprinting issues
Vulnerability

    kernel

Affected

    Linux Kernel 2.4.x

Description

    Ofir  Arkin  found  following.   While  playing  with Linux Kernel
    2.4.2,  Ofir  has  encounter  a  rather  simple  operating  system
    fingerprinting method using  the ICMP protocol  targeting machines
    based on Linux Kernel 2.4.

    In the next example 192.168.1.1 is a Linux machine running  Kernel
    2.2.14, 192.168.1.10 is a Linux machine running Kernel 2.4.2.   We
    are using the 'ping' utility to generate ICMP Echo requests:

        17:23:03.623486 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
        64, id 68)
			         4500 0054 0044 0000 4001 f709 c0a8 0101
			         c0a8 010a 0800 0600 9808 0000 c734 d93c
			         c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
			         1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			         2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			         3435 3637
        17:23:03.623779 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
        (ttl 255, id 0)
			         4500 0054 0000 4000 ff01 f84c c0a8 010a
			         c0a8 0101 0000 0e00 9808 0000 c734 d93c
			         c582 0900 0809 0a0b 0c0d 0e0f 1011 1213
			         1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			         2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			         3435 3637
        17:23:04.622911 eth0 > 192.168.1.1 > 192.168.1.10: icmp: echo request (ttl
        64, id 69)
			         4500 0054 0045 0000 4001 f708 c0a8 0101
			         c0a8 010a 0800 ef01 9808 0100 c834 d93c
			         da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
			         1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			         2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			         3435 3637
        17:23:04.623200 eth0 < 192.168.1.10 > 192.168.1.1: icmp: echo reply (DF)
        (ttl 255, id 0)
			         4500 0054 0000 4000 ff01 f84c c0a8 010a
			         c0a8 0101 0000 f701 9808 0100 c834 d93c
			         da80 0900 0809 0a0b 0c0d 0e0f 1011 1213
			         1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
			         2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
			         3435 3637

    The IP ID with the ICMP Echo replies is 0 and not changing (the DF
    Bit is set as well).

    Ofir tried this with ICMP Timestamp mechanism as well.  This  time
    he has used the 'sing'  utility to generate the requests  (this is
    why the IP ID in the requests equal to 13170):

        17:22:10.119231 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
        (ttl 255, id 13170)
			         4500 0028 3372 0000 ff01 0507 c0a8 0101
			         c0a8 010a 0d00 041c 9508 0000 0315 56c6
			         0000 0000 0000 0000
        17:22:10.119431 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
        (DF) (ttl 255, id 0)
			         4500 0028 0000 4000 ff01 f878 c0a8 010a
			         c0a8 0101 0e00 42b5 9508 0000 0315 56c6
			         03b1 5c82 03b1 5c82 0000 0000 0000
        17:22:11.112908 eth0 > 192.168.1.1 > 192.168.1.10: icmp: time stamp request
        (ttl 255, id 13170)
			         4500 0028 3372 0000 ff01 0507 c0a8 0101
			         c0a8 010a 0d00 ff39 9508 0100 0315 5aa8
			         0000 0000 0000 0000
        17:22:11.113151 eth0 < 192.168.1.10 > 192.168.1.1: icmp: time stamp reply
        (DF) (ttl 255, id 0)
			         4500 0028 0000 4000 ff01 f878 c0a8 010a
			         c0a8 0101 0e00 35fb 9508 0100 0315 5aa8
			         03b1 606e 03b1 606e d039 0100 d039

    Again the IP ID with the replies is 0 (and the DF Bit is set).

    Even  when  sending  ICMP  Echo  requests from the machine running
    Linux Kernel 2.4.2 the IP ID is fixed and equal to 0.  The DF  Bit
    is also set:

        05/08/01-15:09:59.573546 172.18.2.201 -> 172.18.2.200
        ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
        Type:8  Code:0  ID:8741   Seq:0  ECHO
        17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:b...........
        10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
        20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
        30 31 32 33 34 35 36 37                          01234567
        
        =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
        
        05/08/01-15:09:59.573546 172.18.2.200 -> 172.18.2.201
        ICMP TTL:128 TOS:0x0 ID:12812 IpLen:20 DgmLen:84
        Type:0  Code:0  ID:8741  Seq:0  ECHO REPLY
        17 E2 F7 3A 62 D5 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:b...........
        10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
        20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
        30 31 32 33 34 35 36 37                          01234567
        
        =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
        
        05/08/01-15:10:00.573546 172.18.2.201 -> 172.18.2.200
        ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
        Type:8  Code:0  ID:8741   Seq:256  ECHO
        18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:............
        10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
        20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
        30 31 32 33 34 35 36 37                          01234567
        
        =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
        
        05/08/01-15:10:00.573546 172.18.2.200 -> 172.18.2.201
        ICMP TTL:128 TOS:0x0 ID:12813 IpLen:20 DgmLen:84
        Type:0  Code:0  ID:8741  Seq:256  ECHO REPLY
        18 E2 F7 3A 1F C3 08 00 08 09 0A 0B 0C 0D 0E 0F  ...:............
        10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
        20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
        30 31 32 33 34 35 36 37                          01234567
        
        =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    We can use this operating system fingerprinting method with  LINUX
    Kernel 2.4 passively and actively.

Solution

    Nothing yet.