PREFACE:
=================================================
I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped. I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense. For those who have been around here for awhile, you know that I preface my tutorials with this advanced warning in the event that someone finds a sentence or two from the original man pages for the app.


ICMP Techniques: OS/Router Guessing
=================================================

ICMP packets, used for troubleshooting networks or even for gathering basic information, are a common and crucial part of networking. Ping is the most common ICMP type used, but most, if not all firewalls block ICMP Type 8, ECHO REQUEST, and ICMP Type 0, ECHO REPLY. Using other ICMP packets that the firewalls might not be blocking we can detect if a host is alive. For reference purposes, here are the available ICMP types:

http://www.iana.org/assignments/icmp-parameters

** ICMP Timestamp Request, Type 13: Who cares what time it is? **

As noted above, ICMP may not be blocked altogether. Knowing this, we can send different types of ICMP traffic to see if we can hit a host on the inside of the firewall.

[root@HorseyLand-Labs]#hping –c 1 –icmp-ts 10.10.10.10

HPING 10.10.10.10 (eth0 10.10.10.10): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.10.10.10 ttl=128 id=37589 icmp_seq=0 rtt=0.3 ms
ICMP timestamp: Originate=31125922 Receive=3116299522 Transmit=3116299522
ICMP timestamp RTT tsrtt=0


NOTE: This can be expressed another way with the -C switch followed by the ICMP type 13 but because I have the count switch defined, I used the HPING alias for ICMP type 13 (timestamp) for the sake of ease of reading.
HOLY CRAP BATMAN!! What kind of timestamps are these? The timestamps seen above are given in (32 bit) milliseconds since midnight UTC per the RFC. The Originate Timestamp is the time the sender last touched the message before sending it, the Receive Timestamp is the time the echoer first touched it on receipt, and the Transmit Timestamp is the time the echoer last touched the message on sending it. These timestamps can be converted to make sense in a number of ways but that’s another tutorial altogether.
Seeing our result, the ICMP packet was allowed through the firewall. This technique is used primarily against *nix machines, as you’ll see below when we go into OS guessing. I just want you to be familiar with the format of timestamps before we move on.

** OS Guessing with ICMP: **

OS guessing implies exactly what is says – it’s a guess. That means that even if we see what we expect using the ICMP techniques, it does not guarantee that your guess is accurate. OS guessing, in my experience, needs to happen via a number of avenues, otherwise, you’ll find that you’re wrong half the time. According to my standards, those are not good odds. Also, very basic router/switch/firewall ACLs will defeat all of these techniques. They work on networks/hosts where the admin has not done his/her job.

Just for fun, look at the output from a Windows 2003 Server host vs. a Fedora Core 1 host:

[root@HorseyLand-Labs]#hping –c 1 –icmp-ts 10.10.10.10

HPING 10.10.10.10 (eth0 10.10.10.10): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.10.10.10 ttl=128 id=37864 icmp_seq=0 rtt=0.3 ms
ICMP timestamp: Originate=36890269 Receive=1622428931 Transmit=1622428931
ICMP timestamp RTT tsrtt=1

[root@HorseyLand-Labs]#hping –c 1 –icmp-ts 10.10.10.5

HPING 10.10.10.5 (eth0 10.10.10.5): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.10.10.5 ttl=64 id=18260 icmp_seq=0 rtt=0.2 ms
ICMP timestamp: Originate=36894269 Receive=55429872 Transmit=55429872
ICMP timestamp RTT tsrtt=1


Take notice of the ttl values and the timestamp values. See anything that may give you a hint as to the differences in OS?

** Address Mask Request/Reply: **

This isn’t very much help in determining the OS, but for purposes of completeness, I’m mentioning it here. Send an Address Mask Request message to the broadcast address of the network in which the host resides. You’ll receive Address Mask Reply Message giving us the subnet address of the remote host.

[root@HorseyLand-Labs]#hping --icmp-addr -c 1 10.10.10.255
HPING 10.10.10.255 (eth0 10.10.10.255): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.10.10.12 ttl=64 id=3518 icmp_seq=-1 rtt=-279878272.0 ms
ICMP address mask: icmpam=255.255.255.0


** ICMP Message Quoting **

Different OSes fill in different amount of information in the error message generated. Let’s take a look.

[root@HorseyLand-Labs]#hping --udp -c 1 -p 1 10.10.10.10
HPING (eth0 10.10.10.10): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=10.10.10.10 name=UNKNOWN

[root@HorseyLand-Labs]#hping --udp -c 1 -p 1 10.10.10.5
HPING 10.10.10.5 (eth0 10.10.10.5): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=10.10.10.5 name=HorseyLand-Labs.insecure.net


Notice that our Windows box did not resolve the source hostname, however, the Fedora box does. This isn’t the end all be all of quoting (and not exactly the best example), but you at least get the idea. You will see subtle differences in the error message reported.

** ICMP Error Message Quenching **

A UDP packet to a random unused port so that the remote host may generate and send back an ICMP unreachable error message. Operating Systems limit the rate at which error messages are sent,thus by counting the number of messages received you can guess the remote OS. TheTOS(Type Of Service) field in the error message sent by the remote host will be very helpful in determining the the OS. This value will sometimes vary between OSes. You can easily google TOS values and use them during your analysis. In the example below, I set the count to one, however, you would, of course, have to set this to something higher to determine the error message rate. Again, the statistics are easily gotten from the web to compare against your findings.

[root@HorseyLand-Labs]#hping -V -c 1 10.10.10.10
using eth0, addr: 10.10.10.10, MTU: 1500
HPING 10.10.10.10 (eth0 10.10.10.10): NO FLAGS are set, 40 headers + 0 data bytes
len=50 ip=172.27.0.27 ttl=254 id=20412 tos=0 iplen=40
sport=0 flags=RA seq=0 win=0 rtt=2.8 ms
seq=1070065601 ack=399338208 sum=33a4 urp=0


** Routers **

Using ICMP techniques, we can also detect routers. Detecting a router is quite simple, and useful. Using ICMP Type 10, Router Solicitation, we send a request to what we believe to be a router, we can then check to see if an ICMP Type 9, Router Advertisement, packet was responded with. Because of limitations in available equipment, I cannot show you a successful hit, however, here is the syntax:

[root@HorseyLand-Labs]#hping –V –c 1 –icmptype 10 10.10.10.254

If all goes well, you’ll receive an ICMP type 9 response, Router Advertisement. Otherwise, the packet will either be dropped or an error message will be returned.

We have now discovered a router on the network, which might be the one filtering packets to the rest of the network. This technique is very helpful, and simple when looking for gateways.

At this point, you have learned enough techniques to reliably identify OSes, discover routing equipment and determine port state.

In lesson 4, we’re going to begin techniques that *ARE* destructive if misused. Techniques will include using HPING as a DoS tool, A data tunneling app and finally, as a Trojan (used in conjunction with netcat).

The final lesson will go over advanced techniques of the aforementioned and also countermeasure techniques. You also may get the sense that using manual techniques to discover remote OSes is a time consuming task. Yes, however, once you fully understand the mechanics, you’ll be able to build on the knowledge and perhaps even write your own tools.