TTL field???

solvman · October 3, 2001, 12:44am

Hi all,

I wonder, how I can change Time To Live field for icmp packet in Redhat 7.1, kernel 2.4.2-2? I looked up in /proc/sys/net/ipv4 and did find this field in there.
There should be a way to change TTL. If it's in header file, in which one?

Thank you all

eddies · October 10, 2001, 9:55am

You mean for use with ping or in common??

Why would you want this anyway??

for ping, use: ping -t 'ttl'

solvman · October 10, 2001, 11:54am

I'm talking about TTL field for system itself.

Let's say when someone pings my host, he/she sees different TTL field. I've heard that lots of netscan applications uses this field to determine the type of the system. And for security reasons if you change that field for ping replies comming from your host it eliminates this possibility.

Thank you.

Neo · October 10, 2001, 6:11pm

Offhand I can't think of any (none routing) reason to hack the TTL field or any tools that use the TTL field to scan with the exception of traceroute .

If you can post the exact "netscan application" that uses TTL and why it uses it, then we can give a more accurate reply.

It is certainly possible to return bogus values of processes, including TTL. I'm more interested in understanding why you think you need to do this... thanks.

solvman · October 10, 2001, 6:31pm

how can u define a type of system remotely? Conidering closed ports for telnet, ssh, ftp, http, etc. One way to determin the type of the system is to just ping it and and TTL of the returned packet is gonna define system coz it goes basically fixed for different systems. Here what i mean:

#ping foo1.com
64 bytes from 65.30.119.70: icmp_seq=0 ttl=255 time=209 usec
...

#ping foo2.com
64 bytes from 192.168.0.3: icmp_seq=0 ttl=128 time=1.011 msec
...

#ping foo3.com
64 bytes from ns.donnelly.cc.ks.us (208.129.6.92): icmp_seq=1 ttl=243 time=29.964 msec
...

In those three examples i can say that foo1.com runs RedHat Linux 7.1 (ttl=255), foo2.com - Windows(ME)(ttl=128), foo3.com - OpenBSD2.8 (maybe 2.9)(ttl=243).
So, if you hack and change TTL for your system some of the scanning software will be cofnfused. So my question still is in what file this field is defined???

Thank you all

Neo · October 10, 2001, 10:23pm

OK. Now I understand what you are saying. Some systems, for better or for worse, set the TTL differently and this can be exploited to guess the system kernel, as discussed here:

http://www.geocrawler.com/archives/3/91/2000/9/0/4279406/

Because, as the ping manpage says:

The maximum possible value of this field is 255, and most Unix systems
set the TTL field of ICMP ECHO_REQUEST packets to 255. This is why you
will find you can ``ping'' some hosts, but not reach them with telnet(1)
or ftp(1).

In normal operation ping prints the ttl value from the packet it re-
ceives. When a remote system receives a ping packet, it can do one of
three things with the TTL field in its response:

o Not change it; this is what Berkeley Unix systems did before the
4.3BSD-Tahoe release. In this case the TTL value in the received
packet will be 255 minus the number of routers in the round-trip
path.

o Set it to 255; this is what current Berkeley Unix systems do. In
this case the TTL value in the received packet will be 255 minus the
number of routers in the path from the remote system to the pinging
host.

o Set it to some other value. Some machines use the same value for
ICMP packets that they use for TCP packets, for example either 30 or
60. Others may use completely wild values.

You want to change the behavior of a host receiving an ICMP_ECHO_REQUEST by altering the TTL set by the host.

Nice idea!!! There is value to this idea, thanks for pointing this out.

In linux, this value is defined in the ip.h header file in the source distribution:

One way to change it is to modify the parameter in the ip.h include file and rebuild the kernel.

However, different systems allow you to configure MAXTTL from the command line or in a configuration file like /etc/rc.d.

BTW. This was an EXCELLENT question. I tested two modern linux kernels (TTL, 255) and one Win98 system (TTL, 64).

solvman · October 10, 2001, 10:46pm

Great thanks to all of you, esp. to Neo.

I got the answer I wanted.

Best regards

LivinFree · October 11, 2001, 2:32am

This can be used to help defeat OS guessing in tools like queso and nmap. It's one of the easiest changes you can make to mess with the results. I recall that there were a few such hints/hacks in Hacking Linux Exposed...

The best part, however, is that the 2.4.* series kernels are able to obfuscate the OS completely. Any nmap scan will report that you are whoever you choose to be - for example, you can make yourself appear to the casual scanner to be a MacOS 7.1 machine, or a HP LaserJet Printer!

Check out the netfilter man pages, and this link:

Happy obfuscating!

jyotipg · October 11, 2001, 5:32am

WoW!!! ,
that was a great idea.. I am wonderstuck at the idea of Solvman.. Great going man....
:)

Neo · October 11, 2001, 10:01am

BTW: If anyone changes MAXTTL in linux ip.h and rebuilds the kernel, please post and let everyone know that, indeed, this is one possible solution for linux. Thanks!!

Or, if you find that it can be changed another way, please post.

Or. if you find a clever way to do it for any other system, please post.

Thanks again!!

solvman · October 11, 2001, 9:46pm

U know, people, while reading all those replies, I came up with an idea. What if to create an application making TTL appear all the time randomly let's say in some range from 100 - 255. It would make lots of scanners confused. I wanna create a project on SourceForge. What do you think about the idea itself?

Later on

LivinFree · October 12, 2001, 12:54am

Check out this page:
http://project.honeynet.org/papers/finger/
Farther down, it'll tell you how to change the TTL for Solaris, Linux, and NT... An overall good read, as well.