June 17th, 2004, 09:01 PM
ICMP Scanning Pt. 1
This is my second tutorial so please be kind. It is meant to help cover the basics of using ICMP to scan networks. I hope you find it useful and informative.
ICMP Scanning Pt. 1
Because the IP protocol is not made to be 100% reliable ICMP plays a large part in help to give some feedback when there are problems in communication. ICMP packets are sent in some of the following situations for example: whenever the gateway is able to send traffic on a shorter route, when a datagram does not reach its destination, orwhen the gateway is not able to forward the datagram because it does not have the buffering capacity.
From RFC792 it gives a good explanation of the message formats:
Many times after footprinting an organization malicious attackers move on to the next step of determining whether a host is "alive" or not. This simplifies means that they are checking to see if the computers scanned are able to e reached from the internet or not. If you keep track of your logs on yor firewall and border router this may give some signs of an impending attack.
ICMP messages are sent using the basic IP header. The first octet of the data portion of the datagram is a ICMP type field. Any field labled as "unused" is reserved for later extensions and must be zero when sent, but recievers should not use these fields (except to include them the checksum).
During most scans using ICMP an ICMP_ECHO datagram is sent to the remote computer to determine whether it has an active IP or not. If all is well the computer that sent the ICMP_ECHO packet will recieve and ICMP_ECHO_REPLY packet which means that the host computer is p and alive. If no response is recieved it usually means that the host computer is down or an administrator is filtering the reply from the host. The simplest of tools to do this is to use the ping command which comes with most *nix systems and Windows systems alike. It looks like this:
PING 192.168.0.101 (192.168.0.101) 56(84) bytes of data.
64 bytes from 192.168.0.101: icmp_seq=1 ttl=128 time=7140 ms
64 bytes from 192.168.0.101: icmp_seq=2 ttl=128 time=8982 ms
64 bytes from 192.168.0.101: icmp_seq=9 ttl=128 time=3963 ms
64 bytes from 192.168.0.101: icmp_seq=11 ttl=128 time=3979 ms
64 bytes from 192.168.0.101: icmp_seq=13 ttl=128 time=4472 ms
--- 192.168.0.101 ping statistics ---
54 packets transmitted, 5 received, 90% packet loss, time 53043ms
rtt min/avg/max/mdev = 3963.892/5707.964/8982.328/2016.363 ms, pipe 9
Ping is great to use if you aren't planning on scanning a large amount of host but if you do plan on scanning a large subnet there are a few tools out there that wll help you speed up your scanning proccess. One of the most well known *nix ping sweep tools is fping. It can take info in from interactive mode or it can even be used like the regular ping utility, but what really sets it apart is the fact that it can be used with gping (gping generates large lists of IP addys to scan). Nmap is also a great tool to use for network ping sweeps because it also does it's sweep in a parallel fasion and it helps to resolve the host names of the target computers. For Windows one of the best ping sweep tools is probably Pinger form the Rhino9 group. It is able to do act in the same way as fping and nmap do.
To stop people from pinging your network in this fasion it is a good idea to block ICMP_ECHO requests from the internet at your border router.
Another way to scan large networks at once is to send an ICMP_ECHO request to the broadcast adress on the target network. This will usually result in all the machines answering that are up (this really only applies to a few operating systems because not all will reply to this type of request, believe it or not windows will not respond to an ICMP_ECHO request from the broadcast address). You might also want to remember that issuing this type of request on a large network may also result in a DoS condition
To stop this type of scan from working all you usually have to do is block an IP directed broadcast at your border router.
To find the tools that I discussed above goto these following sites: