[Snort-users] [Fwd: Several Misbehaviors with the ICMP implementation (and the'ping'utility) with MS based operating systems]

Martin Roesch roesch at ...1935...
Sun May 6 16:10:25 EDT 2001


What exactly is it that you want to detect?

    -Marty

Edwin Chiu wrote:
> 
> Is there a snort signature for these packets? From what I remember, I don't
> think snort 1.7 can do it... what about 1.8?
> 
> Edwin
> 
> -------- Original Message --------
> Subject: Several Misbehaviors with the ICMP implementation (and the
> 'ping'utility) with MS based operating systems
> Date: Thu, 3 May 2001 06:51:26 -0700
> From: Ofir Arkin <ofir at ...1987...>
> Reply-To: Ofir Arkin <ofir at ...1987...>
> To: BUGTRAQ at ...220...
> 
> RFC 792 (Internet Control Message Protocol) suggests how the ICMP Identifier
> field and the ICMP Sequence Number field should be used:
> 
> "The identifier and sequence number may be used by the echo sender to aid in
> matching the replies with the echo requests.  For example, the identifier
> might be used like a port in TCP or UDP to identify a session, and the
> sequence number might be incremented on each echo request sent.  The echoer
> returns these same values in the echo reply".
> 
> It literally suggests that the ICMP Identifier field will be used to
> differentiate between ICMP Query messages sent to different hosts. It also
> suggests that the ICMP Sequence Number field will be used to differentiate
> between the ICMP query messages sent to the same host.
> 
> The 'ping' utility with UNIX and UNIX-like operating systems has adopted
> this suggestion.
> 
> When examining the behavior of the 'ping' utility with Microsoft Windows
> based operating systems I have encountered a different behavioral pattern.
> 
> The next example is a trace (using the windump program -
> http://netgroup-serv.polito.it/windump/install/Default.htm) of ICMP Echo
> requests initiated by lunching two ping commands at the same time from a
> Microsoft Windows 2000 SP1 operating system based machine. One instant was
> aimed at the host 172.18.1.2, and the other at the host 172.18.1.134:
> 
> E:\>windump -xnvv -s 1600 icmp
> windump: listening on\Device\Packet_{79C233F1-6CD7-49EB-8FA2-FA825CB1C9C3}
> 11:31:21.848025 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id
> 11071)
>                          4500 003c 2b3f 0000 8001 b4a8 ac12 01b3
>                          ac12 0102 0800 265c 0300 2400 6162 6364
>                          6566 6768 696a 6b6c 6d6e 6f70 7172 7374
>                          7576 7761 6263 6465 6667 6869
> 
> 11:31:22.221772 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id
> 11075)
>                          4500 003c 2b43 0000 8001 b420 ac12 01b3
>                          ac12 0186 0800 255c 0300 2500 6162 6364
>                          6566 6768 696a 6b6c 6d6e 6f70 7172 7374
>                          7576 7761 6263 6465 6667 6869
> 
> 11:31:22.844726 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id
> 11077)
>                          4500 003c 2b45 0000 8001 b4a2 ac12 01b3
>                          ac12 0102 0800 245c 0300 2600 6162 6364
>                          6566 6768 696a 6b6c 6d6e 6f70 7172 7374
>                          7576 7761 6263 6465 6667 6869
> 
> 11:31:23.215222 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id
> 11078)
>                          4500 003c 2b46 0000 8001 b41d ac12 01b3
>                          ac12 0186 0800 235c 0300 2700 6162 6364
>                          6566 6768 696a 6b6c 6d6e 6f70 7172 7374
>                          7576 7761 6263 6465 6667 6869
> 
> 11:31:23.846116 172.18.1.179 > 172.18.1.2: icmp: echo request (ttl 128, id
> 11079)
>                          4500 003c 2b47 0000 8001 b4a0 ac12 01b3
>                          ac12 0102 0800 225c 0300 2800 6162 6364
>                          6566 6768 696a 6b6c 6d6e 6f70 7172 7374
>                          7576 7761 6263 6465 6667 6869
> 
> 11:31:24.216645 172.18.1.179 > 172.18.1.134: icmp: echo request (ttl 128, id
> 11080)
>                          4500 003c 2b48 0000 8001 b41b ac12 01b3
>                          ac12 0186 0800 215c 0300 2900 6162 6364
>                          6566 6768 696a 6b6c 6d6e 6f70 7172 7374
>                          7576 7761 6263 6465 6667 6869
> 
> As it can be seen, the ICMP Identifier field value is the same with both
> instances. This is regardless the fact we are using the 'ping' utility to
> send ICMP Echo requests to two separate hosts. The number assigned to this
> field is 768 decimal.
> 
> So how does the 'ping' utility with Microsoft based operating systems
> differentiate between the different ICMP Queries?
> The 'ping' utility is using the Sequence Number field. For each ICMP Echo
> Request the ICMP Sequence Number is a unique number. The gap between one
> ICMP Sequence Number field value to another is 100 hex/256 decimal.
> 
> This raises another interesting question.
> 
> If the ICMP Identifier field has a constant value, can we identify the
> different Microsoft operating systems passively when someone is using the
> 'ping' utility to query our machines?
> 
> Yes.
> 
> Microsoft Windows NT - 256
> 
> Microsoft Windows 98/98SE - 512
> Microsoft Windows 2000 - 512
> 
> Microsoft Windows ME - 768
> Microsoft Windows 2000 Family with SP1 - 768
> 
> With the 'ping' utility with Microsoft based operating systems the values
> assigned for the different ICMP datagram fields are OS based (in contrast
> with the 'ping' utility on UNIX and UNIX-like operating systems which uses
> the application own values for the different ICMP datagram fields). When
> using other applications with Microsoft based operating systems to generate
> ICMP Query messages the ICMP Identifier field values will still be the same
> as it was with the 'ping' utility, if these applications will be using the
> Microsoft MFC.
> 
> Therefore when ever we see an ICMP Query datagram with an ICMP Identifier
> field value of 256/512/768 it will indicate that the underlying operating
> system to be used is an MS based.
> 
> We can also look at the ICMP Sequence Number field value for extra
> information. The 'ping' utility with MS based operating systems will issue
> its first ICMP Query message with the ICMP Sequence Number field set to a
> value of 256 (the 'ping' utility with UNIX and UNIX-like operating systems
> will have this field value set to 0 on its first query to a Host). This
> field value will increase with 256 decimal each time we send an ICMP Query
> message (with the UNIX and UNIX-like 'ping' utility the field value will
> increase only if we are sending sequential Queries. Each time we issue the
> 'ping' command this field value will be set to 0 on the first query to be
> sent).
> 
> We can even calculate the number of ICMP Query messages a Windows based OS
> have issued since the last boot time. All we need to do is divide the ICMP
> Sequence number field value with 256.
> 
> Microsoft can argue that their ICMP implementation is not in contrast with
> RFC 792, since the term that was used in order to describe the usage of the
> ICMP Identifier field was "may be used". But if we use common sense, than
> what role, in the Microsoft case, the ICMP Identifier field has?
> 
> Ofir Arkin [ofir at ...949...]
> Founder
> The Sys-Security Group
> http://www.sys-security.com
> PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list