ICMP Usage in Scanning – The Complete Know How Version 3.0 ICMP Usage in Scanning The Complete Know-How Ofir Arkin Founder The Sys-Security Group http :// www .sys-security .com ofir@sys-security .com Version 3.0 June 2001 1 Copyright © Ofir Arkin 2000-2001 http://www.sys-security.com ICMP Usage in Scanning – The Complete Know How Version 3.0 Trust No One 2 Copyright © Ofir Arkin 2000-2001 http://www.sys-security.com ICMP Usage in Scanning – The Complete Know How Version 3.0 Table of Contents 1.0 INTRODUCTION......................................................................................................11 1.1 Introduction to Version 1.0 .......................................................................................11 1.2 Introduction to Version 2.0 ...................................................................................11 1.3 Introduction to Version 2.5 .......................................................................................12 1.4 Introduction to Version 3.0 .......................................................................................12 2.0 THE ICMP PROTOCOL...........................................................................................13 2.1 The ICMP Specifications..........................................................................................13 2.1.1 Special Conditions with ICMP messages..........................................................13 2.2 ICMP Messages.......................................................................................................14 2.2.1 ICMP Error Messages.......................................................................................17 2.2.1.1 Destination Unreachable (Type 3)..............................................................18 2.2.1.1.1 Destination Unreachable – Fragmentation Needed but the Don’t Fragment Bit was set...........................................................................................19 2.2.1.1.2 Destination Unreachable - Communication with Destination Network is Administratively Prohibited ................................................................20 2.2.1.2 Source Quench (Type 4)............................................................................20 2.2.1.3 Redirect (Type 5) .......................................................................................21 2.2.1.4 Time Exceeded (Type 11)..........................................................................23 2.2.1.5 Parameter Problem (Type 12)....................................................................24 2.2.2 ICMP Query Messages.....................................................................................25 2.2.2.1 Echo Request (Type 8) and Echo Reply (Type 0)......................................27 2.2.2.2 Timestamp Request (Type 13) and Timestamp Reply (Type 14) ..............28 2.2.2.3 Information Request (Type 15) and Reply (Type 16).................................29 2.2.2.4 I CMP Address Mask Request (Type 17) and Reply (Type 18) ..................30 2.3 Special Cases - The Path MTU Discovery Process.................................................32 2.3.1 The PATH MTU Discovery Process..................................................................33 2.3.2 Host specification..............................................................................................33 2.3.3 Router Specification..........................................................................................34 2.3.4 The TCP MSS (Maximum Segment Size) Option and PATH MTU Discovery Process .......................................................................................................................35 3.0 HOST DETECTION USING THE ICMP PROTOCOL..............................................36 3.1 ICMP Echo (Type 8) and Echo Reply (Type 0)....................................................36 3.2 ICMP Sweep (Ping Sweep)......................................................................................37 3.3 Broadcast ICMP.......................................................................................................39 3 Copyright © Ofir Arkin 2000-2001 http://www.sys-security.com ICMP Usage in Scanning – The Complete Know How Version 3.0 3.4 Non-ECHO ICMP.....................................................................................................41 3.4.1 ICMP Time Stamp Request (Type 13) and Reply (Type 14) ............................42 3.4.2 ICMP Information Request (Type 15) and Reply (Type 16)..............................43 3.4.3 ICMP Address Mask Request (Type 17) and Reply (Type 18) .........................46 3.5 Non-ECHO ICMP Sweeps .......................................................................................49 3.6 Non-ECHO ICMP Broadcasts..................................................................................50 3.7 Host Detection Using ICMP Error Messages...........................................................52 4.0 ADVANCED HOST DETECTION USING THE ICMP PROTOCOL.........................54 4.1 Triggering ICMP Parameter Problem error messages.............................................54 4.1.1 ACL Detection ...................................................................................................57 4.1.1.1 ACL Detection - An example with ICMP as the underlying Protocol.........58 4.1.1.2 ACL Detection – An example with TCP/UDP as the underlying protocol.58 4.2 IP Datagrams with not used field values..................................................................59 4.2.1 The Protocol Field example ..............................................................................59 4.2.1.1 Using non-Used IP protocol values........................................................59 4.2.1.1.1 Detecting if a Filtering Device is present.............................................60 ` 4.2.1.2 Protocol Scan` ..........................................................................................60 4.3 Abusing IP fragmentation.........................................................................................63 4.3.1 ACL Detection ...................................................................................................64 4.4 Using UDP Scans (or why we wait for the ICMP Port Unreachable) .......................66 4.4.1 A Better Host Detection Using UDP Scan.........................................................66 4.5 Using Packets bigger than the PMTU of internal routers to elicit an ICMP Fragmentation Needed and Don’t Fragment Bit was Set (configuration problem)..........68 5.0 INVERSE MAPPING................................................................................................69 5.1 Inverse Mapping Using ICMP Query Request(s), and ICMP Query Reply(s)..........69 5.2 Inverse Mapping Using Other Protocols ..................................................................71 5.3 Patterns we might see..............................................................................................71 6.0 USING TRACEROUTE TO MAP A NETWORK TOPOLOGY .................................74 6.1 When A Firewall Protects a Network........................................................................75 7.0 THE USAGE OF ICMP IN ACTIVE OPERATING SYSTEM FINGERPRINTING PROCESS.......................................................................................................................78 7.1 Using Regular ICMP Query Messages ....................................................................78 4 Copyright © Ofir Arkin 2000-2001 http://www.sys-security.com ICMP Usage in Scanning – The Complete Know How Version 3.0 7.1.1 The “Who answer what?” approach ..................................................................78 7.1.1.1 Identifying Operating Systems according to their replies for non-ECHO ICMP query requests aimed at the broadcast address ...............................................79 Examining the IP ID field value(s)...................................................................................80 7.1.2 Identifying Kernel 2.4.x Linux based machines using the IP ID field with ICMP datagrams .........................................................................................................81 7.1.3 Fun with IP Identification Field Values ..............................................................83 7.1.4 The DF Bit Playground......................................................................................85 7.1.4.1 HP-UX 10.30 / 11.x & AIX 4.3.x Path MTU Discovery Proccess Using ICMP Echo Requests..............................................................................................86 7.1.4.2 Detection Avoidance ..................................................................................92 7.1.4.2.1 HPUX ..................................................................................................92 7.2.4.2.2 Sun Solaris..........................................................................................92 7.2.4.2.3 Linux Kernel 2.4.x................................................................................93 7.1.5 The IP Time-to-Live Field Value with ICMP ......................................................93 7.1.5.1 IP TTL Field Value with ICMP Query Replies ............................................94 7.1.5.2 IP TTL Field Value with ICMP ECHO Requests.........................................97 7.1.5.3 Correlating the Information.........................................................................99 7.1.6 Using Fragmented ICMP Address Mask Requests...............................................99
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages218 Page
-
File Size-