-=[OS Specification with optimum Packets : IP ID Testing.]=- =========================================================================== Triosec , SecNiche Security The IP ID field is critical part in designing and crafting of packets. Mostly the ID field play a generic role when ever a response is undertaken from destination. There are certain facts about ID which enhances the mode of penetration testing in which it is going to be performed. ======= Jolts ======= 1. Analyzing the Id field can differentiate between the target system whether a Linux is running or windows. This trick is 80% reliable. As one has to craft a certain number of packet and periphereal information can be extracted. The change in IP ID provides information regarding target. Likewise a windows operating system (many times) increases the ID field by one. So most of time if you find a target that is showing significant increase in ID by one then most probably its a windows machine. 2. Taking linux and most of versions do not show considerable increase in id and the returned response is always [0] increase. This leverage information either a Linux or related version is present on target. 3. Most of the firewalls and intermediate devices like IDS , the IP ID is randomized in order to throw the information extracted by packet crafting technique. The point is by sending a 3-4 number of packet one can analyze the target system effectively upto some extent. [~/oknock] % nbtscan 172.31.1.0/24 Doing NBT name scan for addresses from 172.31.1.0/24 IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 172.31.1.10 IWS10 00-07-e9-32-6d-e2 172.31.1.11 IWS11 IWS11 00-00-00-00-00-00 [Targets] [~/oknock] 0 % hping2 -S -r 172.31.1.10 -p 80 -c 4 -M 4000 -J -T HPING 172.31.1.10 (eth0 172.31.1.10): S set, 40 headers + 0 data bytes hop=1 TTL 0 during transit from ip=172.19.1.1 name=UNKNOWN hop=1 hoprtt=5.0 ms E..8...............f........E..( .@.........f.......P.... len=46 ip=172.31.1.10 ttl=127 DF id=50795 sport=80 flags=SA seq=1 win=16616 rtt=0.8 ms E..,.k@............f.P..H....... `.@..r........ len=46 ip=172.31.1.10 ttl=127 DF id=+1 sport=80 flags=SA seq=2 win=16616 rtt=0.3 ms E..,.l@............f.P.."....... `.@.9i........ len=46 ip=172.31.1.10 ttl=127 DF id=+2 sport=80 flags=SA seq=3 win=16616 rtt=1.9 ms E..,.n@............f.P..]....... `.@........... --- 172.31.1.10 hping statistic --- 4 packets tramitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.3/2.0/5.0 ms ==================================================================================== One can see that id field is incremented by one.Packet count is 4. Probably it would be a windows system. ==================================================================================== [~/oknock] 0 % hping2 -S -r 172.31.1.11 -p 80 -c 4 -M 4000 -J -T HPING 172.31.1.11 (eth0 172.31.1.11): S set, 40 headers + 0 data bytes hop=1 TTL 0 during transit from ip=172.19.1.1 name=UNKNOWN hop=1 hoprtt=8.9 ms E..8.......d.......f...J....E..( ^..........f.......P.... len=46 ip=172.31.1.11 ttl=63 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=0.2 ms E..,..@.?..(.......f.P....*^.... `............. len=46 ip=172.31.1.11 ttl=63 DF id=+0 sport=80 flags=SA seq=2 win=5840 rtt=0.3 ms E..,..@.?..(.......f.P...4.k.... `....J........ len=46 ip=172.31.1.11 ttl=63 DF id=+0 sport=80 flags=SA seq=3 win=5840 rtt=0.2 ms E..,..@.?..(.......f.P.....;.... `............. --- 172.31.1.11 hping statistic --- 4 packets tramitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.2/2.4/8.9 ms ====================================================================================== [ So No Chnage occurs in ID field [0]. Probably it would be a Linux System.]. ====================================================================================== Lets try a simple scan from nmap to look into it: [~/oknock] 0 % nmap -P0 172.31.1.10 -p 80 -A --max-retries 4 Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-02 13:18 IST Interesting ports on iws10.iiita.ac.in (172.31.1.10): PORT STATE SERVICE VERSION 80/tcp open http Microsoft Windows Media Server 9.00.00.3372 Device type: general purpose Running (JUST GUESSING) : Microsoft Windows 2000|2003|XP (96%) Aggressive OS guesses: Microsoft Windows 2000 SP4 (96%), Microsoft Windows Server 2003 Enterprise Edition 64-Bit SP1 (96%), Microsoft Windows XP SP2 (96%), Microsoft Windows XP SP2 (firewall disabled) (96%), Microsoft Windows 2003 Server SP1 (94%), Microsoft Windows 2000 Server SP4 (93%), Microsoft Windows 2000 SP3 (93%), Microsoft Windows 2000, SP0, SP1, or SP2 (93%), Microsoft Windows 2000 Server SP4 (90%), Microsoft Windows 2000 AS SP4 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Windows OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 15.013 seconds ================================================================== 172.31.1.10 : A Windows system ================================================================== [~/oknock] 0 % nmap -P0 172.31.1.11 -p 80 -A --max-retries 4 Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-02 13:18 IST Warning: OS detection for 172.31.1.11 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on iws11.iiita.ac.in (172.31.1.11): PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.3 ((Debian) PHP/5.2.0-8+etch7) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.14 - 2.6.17 Uptime: 6.114 days (since Sat Oct 27 10:34:05 2007) Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 7.412 seconds ==================================================================== 172.31.1.11 : a Linux System ==================================================================== Hence with a one step ahead technique it is easy to extract information. ----- 0kn0ck