📄 468.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="321.htm">上一层</a>][<a href="469.htm">下一篇</a>]
<hr><p align="left"><small>发信人: scz (小四), 信区: Security WWW-POST <br>
标 题: LINUX ICMP远程鉴别操作系统 <br>
发信站: 武汉白云黄鹤站 (Mon Dec 11 13:34:57 2000) , 站内信件 <br>
<br>
LINUX ICMP Error Message Quoting Size Differences (The 20 Bytes from No Where) <br>
<br>
Ofir Arkin <br>
<br>
We must understand that there are differences between the different ICMP <br>
Error messages, not only with their meaning, but also with their <br>
implementation. I was expecting that several characters with the ICMP Error <br>
messages will be the same along all of the ICMP Error Messages, but I was <br>
wrong regarding few operating systems. <br>
<br>
The most interesting case is with the LINUX operating system based on Kernel <br>
2.2.x and 2.4.t-x. <br>
<br>
The next example is with LINUX based on Kernel 2.2.16 as the targeted <br>
machine, eliciting an ICMP Port Unreachable error message: <br>
<br>
00:21:30.199408 pop > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732) <br>
4500 001c 06c4 0000 4011 c895 xxxx xxxx <br>
yyyy yyyy 0812 07d0 0008 4484 <br>
<br>
00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000 <br>
unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id <br>
1732) [tos 0xc0] (ttl 238, id 53804) <br>
45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy <br>
xxxx xxxx 0303 a88e 0000 0000 4500 001c <br>
06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy <br>
0812 07d0 0008 4484 <br>
<br>
<br>
The quoted data is the entire offending datagram. LINUX ICMP Error messages <br>
will be up to 576 bytes long according to the LINUX source code. <br>
<br>
The next example is with LINUX as the targeted operating system. With this <br>
example I have sent a protocol scan with NMAP: <br>
<br>
13:14:56.942897 < x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) <br>
4500 0014 92f7 0000 2726 02cb xxxx xxxx <br>
yyyy yyyy <br>
13:14:56.942964 > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable <br>
Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos <br>
0xc0] (ttl 255, id 1884) <br>
45c0 0044 075c 0000 ff01 b59a yyyy yyyy <br>
xxxx xxxx 0302 fb1a 0000 0000 4500 0014 <br>
92f7 0000 2726 02cb xxxx xxxx yyyy yyyy <br>
0050 dc84 ae6f 6910 0000 0000 5004 0000 <br>
bd89 0000 <br>
<br>
LINUX adds to the entire offending packet that was quoted, another 20 bytes. <br>
<br>
Since LINUX handles the ICMP Protocol Unreachable Error Messages like the <br>
ICMP Fragment Reassembly Time Exceeded Error Messages we will see the same <br>
pattern with ICMP Fragment Reassembly Time Exceeded: <br>
<br>
[root@godfather bin]# hping2 -c 1 -x -y y.y.y.y <br>
ppp0 default routing interface selected (according to /proc) <br>
HPING y.y.y.y ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes <br>
<br>
--- y.y.y.y hping statistic --- <br>
1 packets tramitted, 0 packets received, 100% packet loss <br>
round-trip min/avg/max = 0.0/0.0/0.0 ms <br>
[root@godfather bin]# <br>
<br>
The tcpdump trace: <br>
<br>
19:49:22.999108 ppp0 > x.x.x.x.cvspserver > y.y.y.y.0: . <br>
1709055398:1709055398(0) win 512 (frag 35247:20@0+) (DF) (ttl 64) <br>
4500 0028 89af 6000 4006 e0ff xxxx xxxx <br>
yyyy yyyy 0961 0000 65de 1da6 6a01 476b <br>
5000 0200 bf71 0000 <br>
<br>
19:49:53.303196 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded <br>
Offending pkt: x.x.x.x.cvspserver > y.y.y.y.0: . 1709055398:1709055398(0) <br>
win 512 (frag 35247:20@0+) (DF) (ttl 45) [tos 0xc0] (ttl 238, id 379) <br>
45c0 0058 017b 0000 ee01 1a49 yyyy yyyy <br>
xxxx xxxx 0b01 3caf 0000 0000 4500 0028 <br>
89af 6000 2d06 f3ff xxxx xxxx yyyy yyyy <br>
0961 0000 65de 1da6 6a01 476b 5000 0200 <br>
bf71 0000 601d 1f0d 7a04 5045 0100 0000 <br>
4146 4345 4a45 4f46 <br>
<br>
Since LINUX抯 ICMP Error messages will not be bigger than 576 bytes long, if <br>
the offending packet will be big enough (not likely in real world situation) <br>
we will not see the added 20 bytes in the ICMP Fragment Reassembly / ICMP <br>
Protocol Unreachable error messages. <br>
<br>
This unique pattern will allow us to identify LINUX based machines even if <br>
the Precedence Bits value with the LINUX ICMP Error messages will be changed <br>
to 0x000. <br>
<br>
<br>
Ofir Arkin <br>
ofir@sys-security.com <br>
http://www.sys-security.com <br>
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA <br>
<br>
Copyright (c) 2000 Sys-Security.com & Ofir Arkin All rights reserved <br>
-- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="321.htm">上一层</a>][<a href="469.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -