Data Field of an ICMP ECHO REQUEST
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Data Field of an ICMP ECHO REQUEST

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914

    Data Field of an ICMP ECHO REQUEST

    Hey Hey,

    This really won't spur much of a discussion... it's just more of an FYI for those that like interesting facts, and those who are bored.

    We were sitting in class the other day, doing a DHCP lab I believe, and we were sniffing ICMP ECHOs. I was bored and scrolling through the packet contents and found the data field rather amusing.

    abcdefghijklmnopqrstuvwabcdefghi
    These are the contents of the data field on both Windows XP and Windows 98.

    I decided to come home and compare this with the data field contents from an ICMP ECHO Request originating from my linux box (SuSE 9.1 w/ a 2.6.4 kernel). The contents were as follows.

    D^@b<
    

     !"#$%&'()*+,-./01234567
    Again a pattern is evident, there are 10 bytes of data, followed by an apparent pattern. The characters start counting at hex value 0a and continue on, counting up numerically.

    I decided to give my buddy a call and have him ping me with his Mac (Running Mac OS 10.3).

    @~ 

     !"#$%&'()*+,-./01234567
    The initial 10 bytes differ from the first 10 bytes of the Linux ICMP Echo Request data field, however the data that follows is the exact same.

    So MS systems start at a and move to w before starting the cycle over and repeated themselves. I'm actually kind of curious as to why they didn't go all the way to Z, so if anyone knows I'd love to hear about it. *nix based systems seem to follow their own pattern... 10 seemingly random bytes and then starting at 0a. I'm curious about this system. The count ends up dead on because the bytes preceding 0A would be 00,01,02,03,04,05,06,07,08,09 (10 bytes), yet seemingly random bytes are used instead. Another question that I would love to see the answer to.

    I thought I'd share this because little things like this tend to amuse me. I get bored easily and I'm amused by most things... hehe

    Anyways I'm going to play with a few more operating systems and since I've been trying to learn snort more in depth, I may attempt to write a series of rules that will identify ICMPs and the operating system they originated from (unless this already exists.. if so... let me know so I don't waste my time).

    Also if anyone wants to capture packets from their machines operating systems and either paste the data field, or the packet... or post a capture file here, it'd be greatly appreciated... I'm going to attempt to compile a rather complete list if possible.

    Anyways that's my sharing for the evening.....

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Interesting how in common the result's from the ICMP ECHO Request are between the Mac OS and the Linux box. Isn't that interesting how there result's are quite similiar and the window's is a little more farther apart? Hrmm.. Also, if your going to variate the different OS'es, you should also variate the connections and speeds of it as well. See if new character's or even more character's come up (for instance, in the Window's set maybe it'll go all the way? who know's..).
    Space For Rent.. =]

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Spyder32
    Interesting how in common the result's from the ICMP ECHO Request are between the Mac OS and the Linux box. Isn't that interesting how there result's are quite similiar and the window's is a little more farther apart? Hrmm.. Also, if your going to variate the different OS'es, you should also variate the connections and speeds of it as well. See if new character's or even more character's come up (for instance, in the Window's set maybe it'll go all the way? who know's..).
    Hey Hey,

    Mac is similar because it's based on Darwin.... however I'd love to see a packet capture from an older Mac <= 9.... technically the connections and speeds shouldn't affect the generate of the packet, due to the level that it's actual created at, but you never know... I may look into it...

    Peace,
    HT

    [Edit]

    Here's the data from a Cisco Router running IOS 12.3.7T, which has been provided for us by phishphreek.

    d@ͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫͫ
    The pattern contains 8 bytes of seemingly random data followed by "ab cd"... someone testing their typing abilities while programming?

    [/Edit]
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    code:
    a..@..
    ........ .........
    ........ .. !"#$%
    &'()*+,- ./012345
    67

    freebsd 5.2.1
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Look throught the Snort ICMP signatures and you will see that it is these differences that allows Snort to report "ICMP: Ping Type BSD" etc.

    Just thought I'd throw that in....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    The data in an echo_request is not actually important - the server just returns it without modification (unless it's broken).

    The data exist, because icmp echo_request (aka ping) can be used to test that larger packets (perhaps requiring fragmentation) get through a network successfully. They have to pad it out with something.

    On another slightly worse note, that means that icmp echo_request (and indeed reply) can be used to send data, as a "covert" channel, because any data can be inside the packets.

    Slarty

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Thanks for the data lumpy

    Originally posted here by Tiger Shark
    Look throught the Snort ICMP signatures and you will see that it is these differences that allows Snort to report "ICMP: Ping Type BSD" etc.

    Just thought I'd throw that in....
    That's what I was looking for well that'll save me a lot of work... Thanks..


    The data in an echo_request is not actually important - the server just returns it without modification (unless it's broken).

    The data exist, because icmp echo_request (aka ping) can be used to test that larger packets (perhaps requiring fragmentation) get through a network successfully. They have to pad it out with something.

    On another slightly worse note, that means that icmp echo_request (and indeed reply) can be used to send data, as a "covert" channel, because any data can be inside the packets.

    Slarty
    I know it's not important.. it's just to pad it... I just found it interesting how different OS's choose to pad it.

    I find it amusing that in a world where security and stealth are now so important, they haven't changed the default data so that you couldn't pick out the OS based on the data in a ping.

    However sending data, I know you could send it through ICMP, however I guess I'd never realized how overly simply that was.... thanks for adding the info

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Slarty nice info about using echo packets for covert channel.
    Do you know any implementation of that?
    Is someone able to do bi directional conversation using that? I mean, can i send diferent information thru echo response?
    Never thought about that
    Meu stio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Experiments I've done show that you can just use echo_response rather than echo, applications (running as root / admin) can receive all ICMP packets, and just look for the ones they want. Sending packets is pretty easy too.

    On Windows, it seems difficult for an app to receive echo packets, as the kernel gets them and intercepts them first. Most other ICMP types can be seen by apps though.

    Slarty

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    It's odd that MS just chose a through w which is a range of 23 bytes. Hex-wise it's 0x61 through 0x77. Seems pretty arbitrary to me, although maybe the number 23 has some special meaning to whomever originally decided on it. It resets the loop and begins again for the 9 remaining bytes needed to fill out the packet.

    As for the unix boxes, it would seem to me that it is simply starting at ASCII 0x00 and incrementing up through 0x37 (which is "7"). This constitutes 55 bytes of data with a null appended, meaning 56 octets of data (which is what my linux box defaults to using ping). Unless you are seeing that the first 10 bytes are *NOT* 0x00, 0x01, 0x02, et. al., I don't get why you think it's at all random. Sometimes the host OS will replace certain NPCs with PCs for the sake of displaying them instead of the grey NPC boxes, which is what it looks like here.

    My bet would be that it simply goes through all 128 ASCII standard characters before beginning the loop again. Likely the first few codes are being interpreted using extended ascii, which is why MacOS and Linux would show different values.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •