Various ICMP packets
RFC1812 limits the rate at which error messages are sent out from ahost and different vendors have interpreted this in various ways. By
sending packets to random closed UDP ports and counting the number
of unreachable messages returned in a time period, we may be able to
recognize the host OS.
Utilizing ICMP message-quoting also revels information about the
underlying OS. The standard dictates that only the header and 8 bytes
should be returned. The header itself is modified by some
implementations.
Passive Operating System Identification
In his recent passive finger printing document referenced below, LanceSpritzner details techniques for identifying a remote OS by monitoring
traffic from the host. This is particularly useful for a site under attack,
as the remote OS can be identified without directly querying the remote
system, and drawing attention.
Essentially, 4 key characteristics of the network packets are examined
and compared to a reference database of observed packets from known
Operating Systems:
• TTL - Time To Live of the outbound packet.
• Window Size - Packet window size.
• DF - Don't Fragment bit.
• TOS - any Type of Service parameters.
The technique relies heavily upon sophisticated database
interrogations. This technique of OS identification presents many
interesting opportunities, particularly in the computer forensics field.
From an attack perspective, browsing a web site and analyzing the
response packets to identify the OS provides a powerful and stealthy
technique to a potential attacker.
No comments:
Post a Comment