Identify equal servers on different IPs using the IP header of packets

Another nice tool, I do penetration tests, sometimes I have to know if a service(for example http) over different IPs was served by different hosts or if it’s really served by the same host.

How can I know this?

That IPs could have another services, different between each IP, for example that hosts could be doing NAT.

So, doing a port scanning, for example with nmap or using any automated tool doesn’t work. If you rest in the results of that tools, you will get wrong results trying to know if are really the same host.

Then, how can I know if this services over different IPs are really served by the same host???

The answer is analyzing the IP header of packets received from this IPs.

(I don’t gonna write a tutorial about networking and the network layer here. You can read the RFCs and read a lot of books, papers and tutorials over this subjects.)

The key is the identification field(32 to 47 bits) in the IP header and the fact that this number is sequential.

Then, if you receive continuous packets from one host, they will have sequential identification numbers.

It’s easy to receive a continue flow of packets from any host and if that host isn’t sending a lot of packets to another IPs, you will have packets with almost sequential identification numbers.

Now, let’s play! A couple of years ago I did a tool to receive packets from different hosts, get and compare the identification numbers received. Now I put it online and you can use it! it’s in Tools section.

If you have any question, you can post it in a comment.

  1. No comments yet.

  1. No trackbacks yet.