Post

ICMP Host Fingerprinting Through TTL Analysis

Posted Updated
By Caleb Finigan
2 min read

ICMP isn’t just for ping and traceroute; it’s also a valuable tool in security research.

  • TTL (Time to Live): A field in the IP header that indicates how many hops (routers) a packet can traverse before being discarded.
    • Each router decreases the TTL by 1.
    • If TTL hits zero, the packet is dropped, and an ICMP “Time Exceeded” message is returned.
  • How TTL Helps Identify Hosts
    • When pinging a device, the TTL value in the reply can provide insights into the host’s operating system or device type.
    • Different systems have unique default TTL values, helping you identify the device.

Common Default TTL Values

  • Linux: TTL = 64
  • Windows: TTL = 128
  • Cisco Devices: TTL = 255

Calculating the Original TTL

To identify the original TTL of the host, you need to consider the number of hops between your device and the target. Here’s a simple method to estimate the original TTL:

  1. Ping the Host: Send an ICMP echo request to the host and note the TTL value in the reply.
  2. Calculate the Number of Hops: Perform a traceroute to the host to determine the number of hops (routers) between you and the target.
  3. Estimate the Original TTL: Add the number of hops to the TTL value in the reply. This sum will give you the original TTL that the host likely used.

Step-by-Step Example of Device Fingerprinting:

1. Ping the Host

First, send an ICMP echo request to the host and note the TTL value in the reply.

1
2

Pinging 192.168.12.1 with 32 bytes of data:
Reply from 192.168.12.1: bytes=32 time=1ms TTL=63
  • Here, you received a TTL value of 63.

2. Determine the Number of Hops

Next, use traceroute to find the number of hops (routers) between your device and the target host.

1
2
3
4
5
6
7

> tracert -d 192.168.12.1
Tracing route to 192.168.12.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2     1 ms    <1 ms    <1 ms  192.168.12.1

Trace complete.
  • The traceroute shows that the host is 1 hop away.

3. Estimate the Original TTL

Now, add the number of hops to the TTL value from the ping reply. This sum gives you an estimate of the original TTL value set by the host.

Calculation:

1
2
3

Original TTL = Received TTL + Hop Count
             = 63 + 1
             = 64
  • The original TTL is likely 64, letting us know this is most likely a Linux-based system.

Example 2: Multiple Hops

If you ping a device and receive a TTL of 118, and traceroute shows the host is 10 hops away:

Calculation:

1

Original TTL = 118 + 10 = 128
  • In this case, the original TTL is likely 128, indicating the host is probably running a Windows-based system.
Networking, Tutorial
icmp ttl networking
This post is licensed under Apache License 2.0 by the author.