RE: Multiple IP on the same server howo to idenfity

From: Frank Knobbe (frank_at_knobbe.us)
Date: 06/15/04

  • Next message: emx: "Re: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)" 
    To: "Lovell, Edward (Contractor)" <Edward.Lovell@ed.gov>
Date: Tue, 15 Jun 2004 16:32:44 -0500

    On Mon, 2004-06-14 at 10:52, Lovell, Edward (Contractor) wrote:
    > Could you please post to the list any IP finger printing data or links
    > you may have.

    I'm confused as to what you consider "IP finger printing data". What I
    said was that the OP should keep an eye on the IP ID's and TTL's when
    communicating with the hosts while trying to figure out if they share
    physical hosts.

    Consider this portscan/tcpdump result:

    x.x.x.2: tcp/25 open - IP ID between 1000 and 1100, TTL (of received
    packets) is 105
    x.x.x.3: tcp/110 open - IP ID between 1000 and 1100, TTL is 105
    x.x.x.4: tcp/21 open - IP ID is between 2000 and 2500, TTL is 105
    x.x.x.5: tcp/80 open - IP ID is between 2000 and 2600, TTL is 106
    x.x.x.6: tcp/443 open - IP ID is completely random, TTL is 233
    x.x.x.7: tcp/80 open - IP ID is completely random, TTL is 233
    x.x.x.8: tcp/53 open - IP ID is completely random, TTL is 42

    Your traceroute to .5 reveals that it is right on the Internet (between
    router and a firewall). Traceroutes to .2 and .3 reply with the same IP
    twice. From the Characteristic above, you can guess that .2 and .3 are
    the same host, and are most likely Windows boxes (default TTL of 128),
    and directly behind a firewall. However, .4, even though the IP ID is in
    about the same range as .2 and .3, is one hop shorter, right between the
    router and the firewall. Seemingly also a Windows box. .6's IP ID is
    completely random, some Unix host with a default TTL of 255. The TTL of
    a Windows host behind the firewall was 105, so 105-128+255 is 233, which
    means that this Unix box is also directly one hop behind the firewall.
    (one tick lower means one more hop away in a WAN).

    Now, .7 also has the same distance, but since the IP ID is completely
    random, you can not say for sure that this IP is assigned to the same
    box that uses .6. Could be, maybe not. Examination of the banners is
    needed. You'll find that using Netcat over OpenSSL, .6 is an AIX box
    while .7 is a Linux box. But if the TTL were different, you could be
    sure right away that these are two different physical hosts.

    Now to .8. It sits right on the Internet like .5 (106-128+64=42). A
    completely random IP ID hints on Unix. FreeBSD has a default TTL of 64,
    so it could be a BSD, or something else. (Feel free to continue this
    exercise yourself)

    So, by just observing certain IP ID and TTL values, you are able to
    create a good estimate of a network map. Complement that with banner
    information, and you will get more precise.

    Perhaps it becomes clear now that -- from a defensive perspective --
    changing IP values such as default TTLs can be of use by making network
    profiling harder. Perhaps you might want to use 230 as a default TTL for
    your Windows box. I'm sure that will confuse nmap and human pentesters
    alike :)

    Hope this helps.

    Regards,
    Frank

  • Next message: emx: "Re: Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)"
    • Quantcast