Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ICMP timestamps (Re: Wierd ICMP in logs)

from [GSimmonds] Network Security [Permanent Link]
Subject: Re: ICMP timestamps (Re: Wierd ICMP in logs)
Date: Wed, 15 Sep 2004 11:18:33 -0400 
----- Original Message ----- 
From: "Martin Mačok" <martin.macok@underground.cz>
To: <firewalls@securityfocus.com>
Sent: Wednesday, September 15, 2004 5:29 AM
Subject: ICMP timestamps (Re: Wierd ICMP in logs)



http://www.networkmagazine.com/article/NMG20000829S0003


  "Getting a response to a Timestamp Request not only tells you that
   a system is up but also that it is not running a Microsoft
   operating system."

This is not true. I have several Windows systems around me within our
company and they all answers to ICMP Timestamp Request. Actually, you
can differentiate some stacks when you inspect the timestamp replies.

See ICMPinfo.c from http://aluigi.altervista.org/mytoolz.htm

Martin Mačok
IT Security Consultant


Hi Martin,

I can't comment on why the author wrote that. He cites a paper by Ofir
Arkin as a resource for his article. I had a closer look at it.
http://www.sys-security.com/html/projects/icmp.html

According to ICMP Usage in Scanning V.3, Mr.Arkin states on page 43:
"Most of the operating systems have implemented the ICMP Timestamp
request and reply mechanism. When I have sent an ICMP Timestamp
request to a Windows NT 4 SP6a based machine, I got no reply. Again,
this is not abnormal behavior from the Microsoft Windows NT machine,
just an implementation choice as RFC 1122 states."

In fact, he goes on to provide numerous charts comparing the response of
various OS to Time Stamp requests (as well as other ICMP types under
different conditions). Apparently NT4 and Win95 do not respond while
Win98/ME and Win2k do respond. There's no mention of Win2003 or XP.

So, good call ;) I just hope I am equally astute in my interpretation
of the OPs fw logs.

Cheers,
Gary
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Enterprise Personal Firewall Solution, bsec
Next by Date:  Re: Enterprise Personal Firewall Solution, Jose Costa
Previous by Thread:  ICMP timestamps (Re: Wierd ICMP in logs), Martin Mačok
Next by Thread:  Re: ICMP timestamps (Re: Wierd ICMP in logs), James Riden
Indexes:  [Date] [Thread] [Top] [All Lists]