Active & Passive Fingerprinting of Microsoft Based Operating Systems using the ICMP protocol presented at BlackHatWindows 2001

by Ofir Arkin,

Summary : The ICMP Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and later cleared in RFCs 1122,1256, 1349, 1812), as a way to provide a means to send error messages. In terms of security, ICMP is one of the most controversial protocols in the TCP/IP protocol suite. The risks involved in implementing the ICMP protocol in a network, and the ways of using the ICMP protocol to fingerprint Microsoft based operating systems are the subject of this lecture.
First we will outline the basics, going over the ICMP protocol's characteristics. We will briefly introduce Host Detection and Advanced Host Detection methods using the ICMP Protocol. We will outline several methods that might help us to determine the network mapping of a targeted network and to understand the ACL a filtering device protecting the targeted network might use.
After we have explained the basic know-how we will introduce OS fingerprinting using the ICMP protocol. Methods, which use crafted ICMP query messages and the replies they produce will be introduced. Other methods that use crafted packets, which will elicit an ICMP Error messages from the probed machines, will be introduced as well. An in-depth explanation will be given to the specific methods, which allow us to identify Microsoft based operating systems. We will also introduce ways to identify those fingerprinting attempts.
The last topic of the talk will be the usage of passive fingerprinting methods with the ICMP protocol. With passive fingerprinting we will be able to have a clear distinction between the various Microsoft Operating Systems.
At the end of the talk we will summarize the specific characteristics that leads to the identification of the Microsoft based operating systems and specifically Microsoft Windows 2000 that was to be a non identified OS hidden in the haze.
Ofir Arkin is a researcher and explorer of the computer security field. His passion for knowledge in the "Know How" category has led him to many projects in the lowest levels of the TCP/IP stack implementation. Ofir has published numerous papers about his work, the most recent are "Identifying ICMP Hackery Tools Used in the Wild Today", "ICMP Usage In Scanning", and "Unverified Fields - A Problem with Firewalls & Firewall Technology Today". All are available from Ofir Arkins web site.
Currently Ofir is working at OFEK , as the company's Security Technical Manager. OFEK is in the process of becoming a National Operator and a Leading Provider of advanced Telecommunication Services in Israel as a carrier of Voice, Internet, Data and Video through a Convergence of Services.
Their Presentation! (PowerPoint 433k)