Vol. 27, No. 2 ;login:
During the winter of 2000 I started researching the Internet Control Mes-
sage Protocol (ICMP). The protocol goals and features were outlined in RFC
792 (and then later in RFCs 1122, 1256, 1349, 1812) as a means to send
error messages for nontransient error conditions, and to provide a way to
probe the network in order to determine general characteristics about it.
My goal was to go through the relevant RFCs quickly and then continue
with other more interesting protocols. Instead, I found that ICMP can be
used to fingerprint operating systems.
Techniques for OS fingerprinting using TCP packets already exist and are well known:
the nmap and queso tools are examples. As I continued to discover idiosyncrasies in
the responses of different operating systems to small but legal tweaks to ICMP packets,
I published information about the way these packets could be used to determine the
type of operating system in use at a particular destination not filtering incoming (and
in some cases, outgoing) ICMP packets. The first fruit of this research was a paper that
can be found at http://www.sys-security.com/html/.
A large portion of the research paper is dedicated to active operating system finger-
printing techniques that I have discovered during the research project. Using active OS
fingerprinting methods with ICMP requires less traffic initiation from the prober’s
machine in determining the underlying operating system of a targeted host. With most
of the fingerprinting methods, only one datagram can be enough to accomplish this.
For quite some time people have asked me for an automated tool that will correlate
some of the active OS fingerprinting methods I have discovered using ICMP. But the
final push for the tool was done by J.D. Glaser, a good friend of mine, who asked me if
I could use these ICMP fingerprinting methods to differentiate between Microsoft-
based operating systems. Less than three hours later I had a little logic drawn, and
tested, that could differentiate between the different Mi