usefulfor.com/security

The Timestamp is an ICMP (rfc792) message which is used for time synchronization. The Timestamp Reply message consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp.

If your machine answers ICMP Timestamp messages an attacker can learn the date which is set on your machine. This may help him to defeat all your time based authentication protocols.

Here is the code of a script that can be used to check if a remote host listens Timestamp requests:

# Check if the script is being run as root exit if it is not.
if [ "$UID" -ne "0" ]
then
  echo "[ERROR] This script must be run as root"
  exit 1
fi

for foo in $*; do
  echo -n "$foo "
  output=`hping3 -c 3 --icmp-ts $foo 2>/dev/null | grep "ICMP timestamp" | wc -l`
  if (( output > 0  ))
  then
    echo "reacts to ICMP timestamp."
  else
    echo "doesn't react."
  fi
done

First we need to check that root is the one running the script because otherwise we won’t be able to craft ICMP packages. For this task we will be using hping (i.e: hping3 package in Debian GNU/Linux).

The script just sends three (-c 3) ICMP Timestamps (--icmp-ts) to each of the hosts feeded in the command line. We grep the output of hping3 looking for the magic string “ICMP timestamp“, and if found, we print a success message.

This entry was posted on Thursday, December 14th, 2006 at 8:53 pm and is filed under Networking, Shell Script. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.