June 17th, 2004, 09:01 PM
ICMP Scanning Pt. 1
This is my second tutorial so please be kind. It is meant to help cover the basics of using ICMP to scan networks. I hope you find it useful and informative.
ICMP Scanning Pt. 1
Because the IP protocol is not made to be 100% reliable ICMP plays a large part in help to give some feedback when there are problems in communication. ICMP packets are sent in some of the following situations for example: whenever the gateway is able to send traffic on a shorter route, when a datagram does not reach its destination, orwhen the gateway is not able to forward the datagram because it does not have the buffering capacity.
From RFC792 it gives a good explanation of the message formats:
Many times after footprinting an organization malicious attackers move on to the next step of determining whether a host is "alive" or not. This simplifies means that they are checking to see if the computers scanned are able to e reached from the internet or not. If you keep track of your logs on yor firewall and border router this may give some signs of an impending attack.
ICMP messages are sent using the basic IP header. The first octet of the data portion of the datagram is a ICMP type field. Any field labled as "unused" is reserved for later extensions and must be zero when sent, but recievers should not use these fields (except to include them the checksum).
During most scans using ICMP an ICMP_ECHO datagram is sent to the remote computer to determine whether it has an active IP or not. If all is well the computer that sent the ICMP_ECHO packet will recieve and ICMP_ECHO_REPLY packet which means that the host computer is p and alive. If no response is recieved it usually means that the host computer is down or an administrator is filtering the reply from the host. The simplest of tools to do this is to use the ping command which comes with most *nix systems and Windows systems alike. It looks like this:
PING 192.168.0.101 (192.168.0.101) 56(84) bytes of data.
64 bytes from 192.168.0.101: icmp_seq=1 ttl=128 time=7140 ms
64 bytes from 192.168.0.101: icmp_seq=2 ttl=128 time=8982 ms
64 bytes from 192.168.0.101: icmp_seq=9 ttl=128 time=3963 ms
64 bytes from 192.168.0.101: icmp_seq=11 ttl=128 time=3979 ms
64 bytes from 192.168.0.101: icmp_seq=13 ttl=128 time=4472 ms
--- 192.168.0.101 ping statistics ---
54 packets transmitted, 5 received, 90% packet loss, time 53043ms
rtt min/avg/max/mdev = 3963.892/5707.964/8982.328/2016.363 ms, pipe 9
Ping is great to use if you aren't planning on scanning a large amount of host but if you do plan on scanning a large subnet there are a few tools out there that wll help you speed up your scanning proccess. One of the most well known *nix ping sweep tools is fping. It can take info in from interactive mode or it can even be used like the regular ping utility, but what really sets it apart is the fact that it can be used with gping (gping generates large lists of IP addys to scan). Nmap is also a great tool to use for network ping sweeps because it also does it's sweep in a parallel fasion and it helps to resolve the host names of the target computers. For Windows one of the best ping sweep tools is probably Pinger form the Rhino9 group. It is able to do act in the same way as fping and nmap do.
To stop people from pinging your network in this fasion it is a good idea to block ICMP_ECHO requests from the internet at your border router.
Another way to scan large networks at once is to send an ICMP_ECHO request to the broadcast adress on the target network. This will usually result in all the machines answering that are up (this really only applies to a few operating systems because not all will reply to this type of request, believe it or not windows will not respond to an ICMP_ECHO request from the broadcast address). You might also want to remember that issuing this type of request on a large network may also result in a DoS condition
To stop this type of scan from working all you usually have to do is block an IP directed broadcast at your border router.
To find the tools that I discussed above goto these following sites:
June 18th, 2004, 02:21 AM
So what's with the mass negging? It's not a google, so if you have a problem with the tut, why we go ahead and post why it's worthy of negs?
Nobody is going to take over the world with this tut, but I think this person deserves some discussion about their tutorial. This person got it for their last one, I don't see why they shouldn't receive it for this one.
June 18th, 2004, 02:39 AM
While the writing quality of the post could be a bit better, the information seems fine to me. I think someone is getting a little too aggressive here.
He briefly explains icmp, gives an rfc, discusses security related topics with ping and how to stop them, and provides tools and links. Not a bad start.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
June 18th, 2004, 03:51 AM
Don't worry about the neg's. They don't really matter anyway. For those that didn't think it covered enough I am sorry, I plan on adding more in this post as soon as I get done writing it. To Juridian, yeah I just re-read it and my spelling is horrible. I'm not to good with words . I take this all in good spirits and mark it up as a learning experience, no more, no less. We all have to start somewhere.
June 18th, 2004, 04:25 AM
Now there is something you don't see here at AO alot. Very nice to see.
Don't worry about the neg's. They don't really matter anyway.
Also, good tutorial. It described the basics of what we needed to know. You could have waited and added more to this one. But it's a good start! :-)
June 18th, 2004, 05:39 AM
Alright, I know I messed up by not posting information that wasn't very informative so I am trying to fix it so that you feel like you have either learned something new or feel like the information has been refreshed in your mind. At any rate I am learning as I go so it's good for me either way. On to the business end...
The ICMP protocol doesn't just send ICMP_ECHO and ICMP_ECHO_REPLY messages, there are actually quite a few different types that it sends. The other are able to be used to probe and find not only live hosts but also things such as the router. Here are some of the other types of ICMP query messages:
ECHO (type 8) ECHO_REPLY (type 0)
ADDRESS_MASK_REQUEST (type 17) ADDRESS_MASK_REQUEST (type 18)
TIME_STAMP_REQUEST (type 13) TIME_STAMP_REQUEST_REPLY (type 14)
INFORMATION_REQUEST (type 15) INFORMATION_REQUEST_REPLY (type 16)
As I have already explained how ICMP_ECHO and ICMP_ECHO_REPLY works in regards to finding out whether a host is alive or not I will now describe how each of the other types of ICMP querys work and why they can give away ALOT of information that can be used in later attacks.
An ADDRESS_MASK_REQUEST query is mainly used for routers and the like to obtain a subnet mask that is being used in the local network. Whenever the reply is recieved it contains the subnet mask of the interface that was sent the request packet. Usually when this happens a host will send out an
ADDRESS_MASK_REQUEST to the broadcast address for the network and it is answered back by another host that is autorized to issue the address masks. Most of the time when a reply is recieved it usually comes from the networks gateway.
Why this can be a bad thing is because it allows someone who is up to no good to gain some insightful and useful information about your network like the routing scheme and also the internel structure of your network. Most of the time and with most operating systems these types of request will not be answered (neither Linux nor Windows answer) but Solaris does so this actually will help you identify the operating system of the target if it replies. The best way to stop this from happening is to block all ICMP_ADDRESS_MASK requests at your firewall and/or router.
Another type of request that can be made is a TIME_STAMP_REQUEST. This is meant for one node on the network to ask another node the current time. Why this can be useful is that it allows the sender to find out the sequence number and also the latency the target network is experiencing at the time. Yet again this can be used to help identify operating systems. (Windows NT does not answer this type of request).
A countermeasure for this method is to blck ICMP_TIMESTAMP_REQUESTs at the firewall/border router.
The next type of request came about because it was intended for routers and other systems that configured themselves at boot time so that they could get their network address. This is used to sometimes "trick" a host into revealing its network address. Once again this can be countered by simply block ICMP_INFORMATION_REQUEST queries at your border router or firewall.
Some tools that you will find mighty handy in performing the different requests up above are SING and icmpush which can be found at the following sites:
June 18th, 2004, 04:35 PM
This is great stuff, excellent tutorial best I can tell.
Personally, this is info I need to learn, and I'm having trouble swallowing this tut because there's still a lot of prerequisite info I don't know well yet. As you can guess, this handicaps me quite a bit as a net admin, so I'm trying to learn as quickly as possible, and these tuts are helping tremendously.
Suggestion: Has anyone considered organizing the tuts threads a little more so that related tuts are grouped together? This would go great combined with TheHorse13's tutorials on Nmap and Tiger Shark's tutorials on TCP/IP. A walk through these similar tutorials is a great starting point for any eager newbie, I'd say.
Another suggestion: Obviously some of us are better at writing than others, and I don't think you should get negged for bad grammar/spelling unless it's severe. For those negging about that, the criticism should be backed up with some assistance. Perhaps we can start helping each other out by offering to play "editor" with each other's tutorials to help weed out the English problems? Just a thought...I know I usually find myself editing every post I write at least once (blast my perfectionism!!!).
/edit -- See what I mean?