This topic was first discovered and documented by Fydor Yarochkin & Ofir Arkin. It was published in Phrack 57, and I hope to explain it in more simplistic terms.
IMCP - Internet Message Control Protocol
ICMP is used to find errors from the destination of information to the original source. Here's an example of why ICMP is necessary (if the data was tranfered over UDP):
You're transferring a file, and one of the packets of information is lost. You continue to download the file not knowing that the 650mb Linux distro ISO image is corrupted. After you burn it and attempt to install it, you find it won't boot. This is what ICMP is used for.
UDP - User Datagram Protocol
UDP is used as a medium between IP suite and application layer. Using this medium, a programmer has an easier and more reliable method of communication through the network - although the Internet is not always reliable. The length field specifies the length in octec format and the minimum length is 8 octects (32 bits). The check sum is provided for the destination computer to be able to tell whether or not the datagram holds the correct amount of data. The amount of data is given by adding the IP header, the UDP header, and the data. If the check sum does not equal 2 octects, zeros will be added to make up the difference.
How the OS is identified
Each operating system sends out ICMP messages to see if there is an error in communication between the two. Due to the fact that each operating system requires programmers to implement the networking protocols, errors or differences in how the ICMP message is sent may occur. If we can get the target to send an ICMP message, we can then begin to identify the operating system. How do we do this?
We send a packet to a closed port on the target system. The target will send an ICMP packet back as there's nothing happening with that port - and so it perceives an error. This is a generalised idea of how ICMP fingerprinting works.
Conclusion
The only way to prevent this from happening, is to follow standards with no exceptions - or disconnect your servers from the Internet.
References
Phrack.org
RFC 792
Tools
X-Probe
X-probe@sourceforge
NOTLSD
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|