Results 1 to 3 of 3

Thread: HPING - Common ICMP Techniques. Tut 3 in Series of 5

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area

    HPING - Common ICMP Techniques. Tut 3 in Series of 5

    I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped. I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense. For those who have been around here for awhile, you know that I preface my tutorials with this advanced warning in the event that someone finds a sentence or two from the original man pages for the app.

    ICMP Techniques: OS/Router Guessing

    ICMP packets, used for troubleshooting networks or even for gathering basic information, are a common and crucial part of networking. Ping is the most common ICMP type used, but most, if not all firewalls block ICMP Type 8, ECHO REQUEST, and ICMP Type 0, ECHO REPLY. Using other ICMP packets that the firewalls might not be blocking we can detect if a host is alive. For reference purposes, here are the available ICMP types:

    ** ICMP Timestamp Request, Type 13: Who cares what time it is? **

    As noted above, ICMP may not be blocked altogether. Knowing this, we can send different types of ICMP traffic to see if we can hit a host on the inside of the firewall.

    [root@HorseyLand-Labs]#hping –c 1 –icmp-ts

    HPING (eth0 icmp mode set, 28 headers + 0 data bytes
    len=46 ip= ttl=128 id=37589 icmp_seq=0 rtt=0.3 ms
    ICMP timestamp: Originate=31125922 Receive=3116299522 Transmit=3116299522
    ICMP timestamp RTT tsrtt=0

    NOTE: This can be expressed another way with the -C switch followed by the ICMP type 13 but because I have the count switch defined, I used the HPING alias for ICMP type 13 (timestamp) for the sake of ease of reading.
    HOLY CRAP BATMAN!! What kind of timestamps are these? The timestamps seen above are given in (32 bit) milliseconds since midnight UTC per the RFC. The Originate Timestamp is the time the sender last touched the message before sending it, the Receive Timestamp is the time the echoer first touched it on receipt, and the Transmit Timestamp is the time the echoer last touched the message on sending it. These timestamps can be converted to make sense in a number of ways but that’s another tutorial altogether.
    Seeing our result, the ICMP packet was allowed through the firewall. This technique is used primarily against *nix machines, as you’ll see below when we go into OS guessing. I just want you to be familiar with the format of timestamps before we move on.

    ** OS Guessing with ICMP: **

    OS guessing implies exactly what is says – it’s a guess. That means that even if we see what we expect using the ICMP techniques, it does not guarantee that your guess is accurate. OS guessing, in my experience, needs to happen via a number of avenues, otherwise, you’ll find that you’re wrong half the time. According to my standards, those are not good odds. Also, very basic router/switch/firewall ACLs will defeat all of these techniques. They work on networks/hosts where the admin has not done his/her job.

    Just for fun, look at the output from a Windows 2003 Server host vs. a Fedora Core 1 host:

    [root@HorseyLand-Labs]#hping –c 1 –icmp-ts

    HPING (eth0 icmp mode set, 28 headers + 0 data bytes
    len=46 ip= ttl=128 id=37864 icmp_seq=0 rtt=0.3 ms
    ICMP timestamp: Originate=36890269 Receive=1622428931 Transmit=1622428931
    ICMP timestamp RTT tsrtt=1

    [root@HorseyLand-Labs]#hping –c 1 –icmp-ts

    HPING (eth0 icmp mode set, 28 headers + 0 data bytes
    len=46 ip= ttl=64 id=18260 icmp_seq=0 rtt=0.2 ms
    ICMP timestamp: Originate=36894269 Receive=55429872 Transmit=55429872
    ICMP timestamp RTT tsrtt=1

    Take notice of the ttl values and the timestamp values. See anything that may give you a hint as to the differences in OS?

    ** Address Mask Request/Reply: **

    This isn’t very much help in determining the OS, but for purposes of completeness, I’m mentioning it here. Send an Address Mask Request message to the broadcast address of the network in which the host resides. You’ll receive Address Mask Reply Message giving us the subnet address of the remote host.

    [root@HorseyLand-Labs]#hping --icmp-addr -c 1
    HPING (eth0 icmp mode set, 28 headers + 0 data bytes
    len=46 ip= ttl=64 id=3518 icmp_seq=-1 rtt=-279878272.0 ms
    ICMP address mask: icmpam=

    ** ICMP Message Quoting **

    Different OSes fill in different amount of information in the error message generated. Let’s take a look.

    [root@HorseyLand-Labs]#hping --udp -c 1 -p 1
    HPING (eth0 udp mode set, 28 headers + 0 data bytes
    ICMP Port Unreachable from ip= name=UNKNOWN

    [root@HorseyLand-Labs]#hping --udp -c 1 -p 1
    HPING (eth0 udp mode set, 28 headers + 0 data bytes
    ICMP Port Unreachable from ip=

    Notice that our Windows box did not resolve the source hostname, however, the Fedora box does. This isn’t the end all be all of quoting (and not exactly the best example), but you at least get the idea. You will see subtle differences in the error message reported.

    ** ICMP Error Message Quenching **

    A UDP packet to a random unused port so that the remote host may generate and send back an ICMP unreachable error message. Operating Systems limit the rate at which error messages are sent,thus by counting the number of messages received you can guess the remote OS. TheTOS(Type Of Service) field in the error message sent by the remote host will be very helpful in determining the the OS. This value will sometimes vary between OSes. You can easily google TOS values and use them during your analysis. In the example below, I set the count to one, however, you would, of course, have to set this to something higher to determine the error message rate. Again, the statistics are easily gotten from the web to compare against your findings.

    [root@HorseyLand-Labs]#hping -V -c 1
    using eth0, addr:, MTU: 1500
    HPING (eth0 NO FLAGS are set, 40 headers + 0 data bytes
    len=50 ip= ttl=254 id=20412 tos=0 iplen=40
    sport=0 flags=RA seq=0 win=0 rtt=2.8 ms
    seq=1070065601 ack=399338208 sum=33a4 urp=0

    ** Routers **

    Using ICMP techniques, we can also detect routers. Detecting a router is quite simple, and useful. Using ICMP Type 10, Router Solicitation, we send a request to what we believe to be a router, we can then check to see if an ICMP Type 9, Router Advertisement, packet was responded with. Because of limitations in available equipment, I cannot show you a successful hit, however, here is the syntax:

    [root@HorseyLand-Labs]#hping –V –c 1 –icmptype 10

    If all goes well, you’ll receive an ICMP type 9 response, Router Advertisement. Otherwise, the packet will either be dropped or an error message will be returned.

    We have now discovered a router on the network, which might be the one filtering packets to the rest of the network. This technique is very helpful, and simple when looking for gateways.

    At this point, you have learned enough techniques to reliably identify OSes, discover routing equipment and determine port state.

    In lesson 4, we’re going to begin techniques that *ARE* destructive if misused. Techniques will include using HPING as a DoS tool, A data tunneling app and finally, as a Trojan (used in conjunction with netcat).

    The final lesson will go over advanced techniques of the aforementioned and also countermeasure techniques. You also may get the sense that using manual techniques to discover remote OSes is a time consuming task. Yes, however, once you fully understand the mechanics, you’ll be able to build on the knowledge and perhaps even write your own tools.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    They just keep getting better and better, so far nothing new for me, but very interested and I can't wait to see the next two in the series.

    I just have one commant.. This may be because we're using different versions.. I'm using hping 2.0.0-rc3 and when I issue the command

    root@HorseyLand-Labs]#hping –V –c 1 –icmptype 10
    I get an error.... the actual command should be

    root@HorseyLand-Labs]#hping –V –c 1 -–icmptype 10
    I get the same thing for -icmp-ts instead of --icmp-ts but other than that it looks great keep up the good work.


  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Yeah, I think its more to do with me not paying close enough attention

    Seriously though, the text conversion got FUBARed...

    Here is a little taste of tut 4...


    HPING: The DoS King

    The point of this section is to give you a tool to test out IDS/Firewall appliances as well as router/switch ACLs. Any numb nut can launch a DoS. Only a professional can solve the issue when discovered.

    ** The SYN Attack **


    In the next example, we will use the –a switch to spoof the source address of the attacking host. This is to avoid sending a RST packet from the attacking host.

    [root@HorseyLand-Labs]#hping –a –S –p 80 –i u10000

    You can set the packet per second rate using the –i (interval) switch. You can take a shortcut and use –fast and it will use 10000 microseconds which equates to 10 packets a second. You will not see *any* response on your host because the return traffic is going to the spoofed host. Keep in mind, this can either piss off the person whos address you spoofed or cause your net admin to have a stroke.

    On our W2K3 host, we see a blizzard of SYN Received messages.

    C:\netstat –an –p tcp

    Active Connections

    Proto Local Address Foreign Address State

    Notice that the Foreign Address is the spoofed address you specified with the –a switch.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts