RE: Multiple IP on the same server howo to idenfity

From: Frank Knobbe (frank@knobbe.us)
Date: Tue Jun 15 2004 - 17:32:44 EDT


On Mon, 2004-06-14 at 10:52, Lovell, Edward (Contractor) wrote:
> Could you please post to the list any IP finger printing data or links
> you may have.

I'm confused as to what you consider "IP finger printing data". What I
said was that the OP should keep an eye on the IP ID's and TTL's when
communicating with the hosts while trying to figure out if they share
physical hosts.

Consider this portscan/tcpdump result:

x.x.x.2: tcp/25 open - IP ID between 1000 and 1100, TTL (of received
packets) is 105
x.x.x.3: tcp/110 open - IP ID between 1000 and 1100, TTL is 105
x.x.x.4: tcp/21 open - IP ID is between 2000 and 2500, TTL is 105
x.x.x.5: tcp/80 open - IP ID is between 2000 and 2600, TTL is 106
x.x.x.6: tcp/443 open - IP ID is completely random, TTL is 233
x.x.x.7: tcp/80 open - IP ID is completely random, TTL is 233
x.x.x.8: tcp/53 open - IP ID is completely random, TTL is 42

Your traceroute to .5 reveals that it is right on the Internet (between
router and a firewall). Traceroutes to .2 and .3 reply with the same IP
twice. From the Characteristic above, you can guess that .2 and .3 are
the same host, and are most likely Windows boxes (default TTL of 128),
and directly behind a firewall. However, .4, even though the IP ID is in
about the same range as .2 and .3, is one hop shorter, right between the
router and the firewall. Seemingly also a Windows box. .6's IP ID is
completely random, some Unix host with a default TTL of 255. The TTL of
a Windows host behind the firewall was 105, so 105-128+255 is 233, which
means that this Unix box is also directly one hop behind the firewall.
(one tick lower means one more hop away in a WAN).

Now, .7 also has the same distance, but since the IP ID is completely
random, you can not say for sure that this IP is assigned to the same
box that uses .6. Could be, maybe not. Examination of the banners is
needed. You'll find that using Netcat over OpenSSL, .6 is an AIX box
while .7 is a Linux box. But if the TTL were different, you could be
sure right away that these are two different physical hosts.

Now to .8. It sits right on the Internet like .5 (106-128+64=42). A
completely random IP ID hints on Unix. FreeBSD has a default TTL of 64,
so it could be a BSD, or something else. (Feel free to continue this
exercise yourself)

So, by just observing certain IP ID and TTL values, you are able to
create a good estimate of a network map. Complement that with banner
information, and you will get more precise.

Perhaps it becomes clear now that -- from a defensive perspective --
changing IP values such as default TTLs can be of use by making network
profiling harder. Perhaps you might want to use 230 as a default TTL for
your Windows box. I'm sure that will confuse nmap and human pentesters
alike :)

Hope this helps.

Regards,
Frank





This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT