Dark Mode

Settings

Capec-332 Detail

ICMP IP 'ID' Field Error Message Probe

Detailed Software Likelihood: Medium Typical Severity: Low

Parents: 312

Threats: T60 T80 T258 T288 T291 T302 T334 T392 T407

Description

An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.

Extended Description

The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are three behaviors related to the IP ID field that can be used to distinguish remote operating systems or firmware: 1) it is echoed back identically to the bit order of the ID field in the original IP header, 2) it is echoed back, but the byte order has been reversed, or it contains an incorrect or unexpected value. Different operating systems will respond by setting the IP ID field differently within error messaging.
External ID Source Link Description
CAPEC-332 capec https://capec.mitre.org/data/definitions/332.html
CWE-204 cwe http://cwe.mitre.org/data/definitions/204.html
REF-33 reference_from_CAPEC Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill
REF-123 reference_from_CAPEC http://www.faqs.org/rfcs/rfc792.html J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)
REF-124 reference_from_CAPEC http://www.faqs.org/rfcs/rfc1122.html R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10
REF-262 reference_from_CAPEC http://ofirarkin.files.wordpress.com/2008/11/login.pdf Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group

Not present

  1. The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card.
  1. A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable."

Not present

Authorization Access Control Confidentiality
Bypass Protection Mechanism Bypass Protection Mechanism Read Data
Hide Activities Hide Activities Bypass Protection Mechanism
Hide Activities

Not present

We use cookies to ensure you get the best experience on our website.