Government Security
Network Security Resources

Jump to content

Photo

TTL in PHP?


  • Please log in to reply
4 replies to this topic

#1 meathive

meathive

    Staff Sergeant

  • Sergeant Major
  • 254 posts

Posted 01 April 2009 - 07:10 PM

Anyone have an idea on how to obtain a packet's TTL value in PHP? I've got a PHP ping script where that's the only minor option I can't seem to work out.

Thanks.

% ping -c 3 kinqpinz.info
PING kinqpinz.info (24.9.255.173) 56(84) bytes of data.
64 bytes from c-24-9-255-173.hsd1.co.comcast.net (24.9.255.173): icmp_seq=1 ttl=64 time=2.82 ms
64 bytes from c-24-9-255-173.hsd1.co.comcast.net (24.9.255.173): icmp_seq=2 ttl=64 time=1.93 ms
64 bytes from c-24-9-255-173.hsd1.co.comcast.net (24.9.255.173): icmp_seq=3 ttl=64 time=2.43 ms

--- kinqpinz.info ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2010ms
rtt min/avg/max/mdev = 1.931/2.396/2.826/0.370 ms
% ./kinqping.php kinqpinz.info
PING kinqpinz.info (24.9.255.173) 39(47) bytes of data.
64 bytes from kinqpinz.info (24.9.255.173): icmp_seq=1 ttl=?? time=1 ms
64 bytes from kinqpinz.info (24.9.255.173): icmp_seq=2 ttl=?? time=1 ms
64 bytes from kinqpinz.info (24.9.255.173): icmp_seq=3 ttl=?? time=0 ms

--- kinqpinz.info ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2.01ms
rtt min/avg/max/mdev/sdev = 0.002/0.669/1.003/0.669/0.668 ms

...oO oO oO kinqpinz.info Oo Oo Oo...
---------------------------------------------------------
# angelheaded hipsters
## burning for the ancient heavenly connection
### to the starry dynamo
#### in the machinery of night.

#2 Faust

Faust

    Private

  • Members
  • 4 posts

Posted 01 April 2009 - 08:47 PM

Anyone have an idea on how to obtain a packet's TTL value in PHP? I've got a PHP ping script where that's the only minor option I can't seem to work out.

Thanks.


I recommend, executing the command, and exploding the " " from the output, then gathering all the pieces you want, and don't want. The script below runs the Ping command, or any command for that matter, and if un-commented will return all the elements. As I did comment out that bit, all it currently does is return the TTL value. Nothing exceedingly special here, but it's not a bad example.

<?PHP
$cmd	 = "ping -c 3 google.com";

function _cmd($cmd) // hap hazardly barrowed and slightly modified from C99 shell 
{
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec")) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_resource($fp = popen($cmd,"r")))
  {
   $result = "";
   while(!feof($fp)) {$result .= fread($fp,1024);}
   pclose($fp);
  }
 }
 return $result;
}

$output = explode(" ", _cmd($cmd));
// print_r($output); show all elements of the array

echo $output[12];
?>


#3 meathive

meathive

    Staff Sergeant

  • Sergeant Major
  • 254 posts

Posted 01 April 2009 - 11:16 PM

Thanks for replying, man. My script is a full implementation of ping that doesn't use any shell functions to call ping externally. I'm building the raw ICMP packet and sending it across the wire, correct checksum and all. No fun if there's no challenge, aye!

Edit: I wonder if it's safe to assume a constant TTL for all ICMP packets? Since they're encapsulated in an IP packet and themselves don't hold a TTL value. Looking at a packet captures reveal a TTL of 64, and the actual ping binary always seems to report 64.
...oO oO oO kinqpinz.info Oo Oo Oo...
---------------------------------------------------------
# angelheaded hipsters
## burning for the ancient heavenly connection
### to the starry dynamo
#### in the machinery of night.

#4 Hamboldt

Hamboldt

    Private

  • Members
  • 3 posts

Posted 01 October 2010 - 10:33 AM

i've make some time ago a similar script in C#.NET to make a simple fingerprint in comun ttl configuration in operational sistems.

using System;
using System.Collections.Generic;
using System.Net.NetworkInformation;
using System.Linq;
using System.Text;
using System.Net;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            // Endere├žo de IP
            Console.Write("Host(ex 127.0.0.1): ");
            IPAddress ip = IPAddress.Parse(Console.ReadLine());

            // Timeout
            int timeout = int.Parse("12000");

            // Buffer com 32 bytes
            string data = "hamboldthamboldthamboldthamboldt";
            byte[] buffer = Encoding.ASCII.GetBytes(data);

            // inicia Ping
            Ping pingSender = new Ping();
            PingOptions options = new PingOptions();

            options.DontFragment = true;
            options.Ttl = 666;

            PingReply reply = pingSender.Send(ip, timeout, buffer, options);
            if (reply.Status == IPStatus.Success)
            {
                Console.WriteLine("   Alvo ..........................: {0}", reply.Address.ToString());
                Console.WriteLine("   Tempo de Espera ...............: {0} Segundos.", reply.RoundtripTime);
                Console.WriteLine("   Time to live ..................: {0}", reply.Options.Ttl);
                Console.WriteLine("   Sem Fragmento  ................: {0}", reply.Options.DontFragment);
                Console.WriteLine("   Buffer Recebido ...............: {0} Bytes.", reply.Buffer.Length);

                // Windows 7
                if (reply.Options.Ttl == 57) 
                    Console.WriteLine("   OS ............................: Windows 7");

                // Free/Net/OpenBsd/Linux
                if (reply.Options.Ttl == 255)
                    Console.WriteLine("   OS ............................: Free/Net/OpenBsd/Linux");

                // Windows(95/98/Nt/2000/XP/2003/Vista)
                if (reply.Options.Ttl == 128)
                    Console.WriteLine("   OS ............................: Windows(95/98/Nt/2000/XP/2003/Vista)");

                // Roteadores(Bay/Cyclades)
                if (reply.Options.Ttl == 30)
                    Console.WriteLine("   OS ............................: Roteadores(Bay/Cyclades) / Switches (3 com)");

            }

            Console.ReadLine();

        }
    }
}


#5 NetJackal

NetJackal

    Private

  • Members
  • 1 posts

Posted 19 February 2012 - 02:16 PM

You shouldn't relay on TTL for OS fingerprinting... they can easily changed in server and router configs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users