Casinos Not On Gamstop Non Gamstop Casinos Casinos Not On Gamstop Online Casinos UK Non Gamstop Casino
26th Jun 2001 [SBWID-145]
COMMAND
	    kernel
SYSTEMS AFFECTED
	    OpenBSD 2.6...2.9
PROBLEM
	    Ofir Arkin found following.   When a host generates an  ICMP Error
	    message it  will echo  some parts  of the  offending packet.   The
	    ICMP  Error  message  will  include  the  IP Header and at least 8
	    bytes of data from the offending packet.
	    There  are  some  fingerprinting  methods  which relay on the fact
	    that some operating  systems do not  echo correctly the  offending
	    packet's data.
	    It is known that some operating systems do not echo correctly  the
	    IP Total Length field value.   The problem is that some  operating
	    systems echo a  value which is  20 bytes bigger  than the original
	    value carried with the offending packet.
	    During  the  research  on  X  Ofir  has found a new fingerprinting
	    method that involves the same  field value.  With this  method the
	    IP  Total  Length  field  value  being  echoed  (with an ICMP Port
	    Unreachable  Error  Message)  is  20  bytes less than the original
	    value.  With  the next example  I have used  hping2 to generate  a
	    UDP  datagram  with  80  bytes  of  data  querying  UDP port 50 on
	    OpenBSD 2.9 i386 based machine:
	
	        [root@godfather /root]# hping2 -2 -y -p 50 -d 80 172.18.2.145
	        eth0 default routing interface selected (according to /proc)
	        HPING 172.18.2.145 (eth0 172.18.2.145): udp mode set, 28 headers + 80 data bytes
	        ICMP Port Unreachable from 172.18.2.145  (unknown host name)
	        ICMP Port Unreachable from 172.18.2.145  (unknown host name)
	        ICMP Port Unreachable from 172.18.2.145  (unknown host name)
	        ...
	
	    The tcpdump trace:
	
	        09:52:33.989622 eth0 > 172.18.2.201.2999 > 172.18.2.145.re-mail-ck: udp 80
	        (DF) (ttl 64, id 5207)
	                                 4500 006c 1457 4000 4011 c8ab ac12 02c9
	                                 ac12 0291 0bb7 0032 0058 c808 5858 5858
	                                 5858 5858 5858 5858 5858 5858 5858 5858
	                                 5858 5858 5858 5858 5858 5858 5858 5858
	                                 5858 5858 5858 5858 5858 5858 5858 5858
	                                 5858 5858 5858 5858 5858 5858 5858 5858
	                                 5858 5858 5858 5858 5858 5858
	        09:52:33.989622 eth0 < 172.18.2.145 > 172.18.2.201: icmp: 172.18.2.145 udp
	        port re-mail-ck unreachable Offending pkt: 172.18.2.201.2999 >
	        172.18.2.145.re-mail-ck: udp 80 (DF) (ttl 64, id 5207) (ttl 255, id 41822)
	                                 4500 0038 a35e 0000 ff01 bae7 ac12 0291
	                                 ac12 02c9 0303 28b3 0000 0000 4500 0058
	                                 1457 4000 4011 c8bf ac12 02c9 ac12 0291
	                                 0bb7 0032 0058 c808
	
	    The snort trace:
	
	        06/20-09:53:07.989622 172.18.2.201:3033 -> 172.18.2.145:50
	        UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:108 DF
	        Len: 88
	        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
	        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
	        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
	        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
	        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
	        06/20-09:53:07.989622 172.18.2.145 -> 172.18.2.201
	        ICMP TTL:255 TOS:0x0 ID:51307 IpLen:20 DgmLen:56
	        Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
	        ** ORIGINAL DATAGRAM DUMP:
	        172.18.2.201:3033 -> 172.18.2.145:50
	        UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:88
	        Len: 88
	        ** END OF DUMP
	        00 00 00 00 45 00 00 58 2A 78 40 00 40 11 B2 9E  ....E..X*x@.@...
	        AC 12 02 C9 AC 12 02 91 0B D9 00 32 00 58 C7 E6  ...........2.X..
	
	    Looking  at  the  traces  you  can  see  that  the datagram length
	    reported by the ICMP Port  Unreachable error message is 88  bytes,
	    while the offending packet was 108 bytes long.
	    The  same  behavior  is  produced  with  OpenBSD  2.6-2.8  as well
	    (checked on the i386 platform).
	    But OpenBSD  2.6-2.9 is  not the  only operating  system that acts
	    like  this.   Cross  referencing  this  fingerprinting method with
	    nmap's  fingerprinting  database  (www.insecure.org)  reveals that
	    Apollo  Domain/OS  SR10.4,  NFR  IDS  Appliance,  Extreme Networks
	    Black  Diamond  Switch,  Extreme  Networks Gigabit Switch, Network
	    Systems router  NS6614 (NSC  6600 series),  and Cabletron  Systems
	    SSR 8000 System Software version 3.1.B.16 does the same.
	    Since  all  the  other  operating  systems  and networking devices
	    listed  above  have  other  echoing  integrity problems with their
	    ICMP  Port  Unreachable  error  messages,  while  OpenBSD  2.6-2.9
	    correctly echoes all the other  data fields carried with the  ICMP
	    Port  Unreachable  error  message,  it  enables  us to fingerprint
	    OpenBSD  2.6-2.9  based  systems  initiating  one  crafted   query
	    receiving one ICMP Port Unreachable error message.
SOLUTION
	    Nothing Yet.
Internet highlights

Casino Not On Gamstop