From: Aaron Campbell [aaron@MONKEY.ORG]
Sent: Monday, May 07, 2001 4:01 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Fun with IP Identification Field Values (Identifying Older
MS Based OSs)

On Sat, 5 May 2001, Ofir Arkin wrote:

> With the implementation in many operating systems, the Kernel is increasing
> the IP ID field value by 1, from one packet to the next.

There is something much more interesting about non-random incrementing IP
ID numbers: you can use such operating systems to execute spoofed TCP port
scans. I have explained this technique (originally described on Bugtraq
over 2 years ago, see the below URL) to security expert friends of mine
who weren't aware of it at all.

Imagine three hosts:

Host A - Attacker.
Host B - Idle machine, OS that increments IP IDs by fixed amount each pkt.
Host C - Victim.

Suppose Host A would like to know if port 22 is listening on Host C.

Host A communicates initially with Host B to determine Host B's current IP
ID number and takes note of it. Host A sends a TCP SYN packet to port 22
of Host C with the src address field spoofed as Host B. If the port is
open, Host C sends a SYN/ACK packet to Host B in response. If the port is
closed, an RST is sent back instead. In the case of the open port, Host B
would respond to the SYN/ACK with an RST. In the case of the closed port,
Host B would ignore the RST and perform no action.

Once this is done, Host A communicates once again with Host B to determine
the current IP ID and compares it with the saved one from before. If port
22 was open on Host C, Host B responded with an RST, increasing its IP ID
by one. If it was closed, Host B responded with nothing and the IP ID did
not change. Therefore, in the case where "fixed amount" = 1, the IP ID has
increased by 2 if the port was open or 1 if it was closed.

I actually wrote a port scanner a long time ago to implement this method,
which seemed to work on my home network (using a Win95 box as a rogue
host) but I have long since lost the sources.

References:

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26mid%3D11581

---
Aaron Campbell (aaron@monkey.org || aaron@openbsd.org)
http://www.monkey.org/~aaron