利用ICMP請求報(bào)文探測主機(jī)操作系統(tǒng)

字號(hào):

1) 根據(jù)ICMP地址掩碼請求探測SUN操作系統(tǒng)
    對于ICMP地址掩碼請求,只有少數(shù)操作系統(tǒng)會(huì)產(chǎn)生相應(yīng)的應(yīng)答,這些系統(tǒng)包括ULTRIX OpenVMS, Windows 95/98/98 SE/ME, NT below SP 4, 和 SUN Solaris機(jī)器。但其中SUN機(jī)器對碎片ICMP地址掩碼請求(fragmented ICMP Address Mask Requests)的應(yīng)答不一樣,所以允許遠(yuǎn)程用戶來鑒定SUN主機(jī)操作系統(tǒng)。
    下面是通過由Alfredo Andres Omella寫的SING(http://sourceforge.net/projects/sing)對SUN SOLARIS2.7機(jī)器正常的地址掩碼請求:
    # ./sing -mask IP_AddressSINGing to IP_Address (IP_Address): 12 data bytes12 bytes from IP_Address: icmp_seq=0 ttl=236 mask=255.255.255.012 bytes from IP_Address: icmp_seq=1 ttl=236 mask=255.255.255.012 bytes from IP_Address: icmp_seq=2 ttl=236 mask=255.255.255.012 bytes from IP_Address: icmp_seq=3 ttl=236 mask=255.255.255.012 bytes from IP_Address: icmp_seq=4 ttl=236 mask=255.255.255.0
    --- IP_Address sing statistics ---5 packets transmitted, 5 packets received, 0% packet loss
    操作系統(tǒng)會(huì)回答一個(gè)ICMP的地址掩碼請求并帶有其響應(yīng)的網(wǎng)絡(luò)地址掩碼。
    下面我們來看我們發(fā)送一些碎片請求,下面的例子是通過發(fā)送8字節(jié)的IP數(shù)據(jù)碎片到同樣上面操作的SUN SOLARIS2.7機(jī)器上,就可以看到我們獲得的回應(yīng)和剛才的不一樣了(-c 2是允許SING發(fā)送兩個(gè)ICMP地址掩碼請求):
    # ./sing -mask -c 2 -F 8 IP_AddressSINGing to IP_Address (IP_Address): 12 data bytes12 bytes from IP_Address: icmp_seq=0 ttl=241 mask=0.0.0.012 bytes from IP_Address: icmp_seq=1 ttl=241 mask=0.0.0.0
    --- IP_Address sing statistics ---2 packets transmitted, 2 packets received, 0% packet loss
    如果用tcpdump監(jiān)聽,有如下輸出:
    20:02:48.441174 ppp0 > slip139-92-208-21.tel.il.prserv.net > Host_Address:icmp: address mask request (frag 13170:8@0+)4500 001c 3372 2000 ff01 50ab 8b5c d015xxxx xxxx 1100 aee3 401c 000020:02:48.442858 ppp0 > slip139-92-208-21.tel.il.prserv.net > Host_Address:(frag 13170:4@8)4500 0018 3372 0001 ff01 70ae 8b5c d015xxxx xxxx 0000 000020:02:49.111427 ppp0 < Host_Address > slip139-92-208-21.tel.il.prserv.net:icmp: address mask is 0x00000000 (DF)4500 0020 3618 4000 f101 3c01 xxxx xxxx8b5c d015 1200 ade3 401c 0000 0000 0000
    20:02:49.441492 ppp0 > slip139-92-208-21.tel.il.prserv.net > Host_Address:icmp: address mask request (frag 13170:8@0+)4500 001c 3372 2000 ff01 50ab 8b5c d015xxxx xxxx 1100 ade3 401c 010020:02:49.442951 ppp0 > slip139-92-208-21.tel.il.prserv.net > Host_Address:(frag 13170:4@8)4500 0018 3372 0001 ff01 70ae 8b5c d015xxxx xxxx 0000 000020:02:50.011433 ppp0 < Host_Address > slip139-92-208-21.tel.il.prserv.net:icmp: address mask is 0x00000000 (DF)4500 0020 3619 4000 f101 3c00 xxxx xxxx8b5c d015 1200 ace3 401c 0100 0000 0000
    這樣你就可以看到SUN SOLARIS回應(yīng)的網(wǎng)絡(luò)地址掩碼是0.0.0.0。
    我們可以使用下面的方法解決這個(gè)問題:
    ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0ndd -set /dev/ip ip_respond_to_echo_broadcast 0ndd -set /dev/ip ip_respond_to_timestamp 0ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0ndd -set /dev/ip ip_forward_directed_broadcasts 0
    2、利用ICMP時(shí)間戳請求報(bào)文探測Windows 98/98 SE/ME/2000操作系統(tǒng)
    Microsoft Windows 98/98 SE/ME/2000 Profressional/2000 Server操作系統(tǒng)對于將代碼(code)段置為0的ICMP時(shí)間戳請求報(bào)文將不產(chǎn)生任何應(yīng)答報(bào)文。
    根據(jù)這個(gè)特性,可以通過兩種格式的ICMP時(shí)間戳請求探測并確定MicrosoftWindows的操作系統(tǒng)類型。首先是正常的請求報(bào)文,不產(chǎn)生應(yīng)答報(bào)文的Windows主機(jī)的操作系統(tǒng)類型為Microsoft Windows 95、Microsoft WindowsNT 4.0 Workstation with SP6a(及以下版本)。其它的操作系統(tǒng)(包括UNIX系列)則會(huì)產(chǎn)生相應(yīng)的應(yīng)答報(bào)文。接著發(fā)送定制格式的時(shí)間戳請求ICMP報(bào)文,其中的代碼(code)段置為非零值,Windows98/98 SE/ME/2000 Profressional/2000 Server等較新版本的操作系統(tǒng)將不產(chǎn)生應(yīng)答報(bào)文,而其它操作系統(tǒng)則根據(jù)此請求回復(fù)正確的應(yīng)答報(bào)文。
    涉及(經(jīng)過測試)的操作系統(tǒng):LINUX Kernel 2.4t2; LINUX Kernel 2.2.14; FreeBSD 4.0, 3.4; OpenBSD 2.7 & 2.6; Solaris 2.5.1, 2.6, 2.7 & 2.8; HP-UX 10.20; AIX 4.1; ULTRIX; Microsoft Windows 95 / 98 / 98SE / ME / NT 4 SP3, SP4, SP6a WRST & SERVER / 2000 Professional & Server.