ICMP_Scanning_14
ICMP Usage in Scanning
14
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
3.0 Host Detection using ICMP Error Messages generated from the probed
machines
We can use various methods in order to elicit an ICMP Error Message back from a probed
machine and discover its existence. Some of the methods described here are:
·
Mangling IP headers
·
Using non-valid field values in the IP header
o
Using valid field values in the IP header
·
Abusing Fragmentation
·
The UDP Scan Host Detection method
With the first method we are using bad IP headers in the IP packet that would generate an ICMP
Parameter Problem error back from the probed machine to the source IP address of the probing
packet. The second method use non-valid field values in the IP header in order to force the
probed machine to generate ICMP Destination Unreachable error message back to the prober.
The third method discussed uses fragmentation to trigger an ICMP Fragment Reassembly Time
Exceeded error message from the probed machine. The last method uses the UDP Scan method
to elicit ICMP Port Unreachable error message back from a closed UDP port(s) on the probed
host(s).
When using some of those methods we can determine if a filtering device is present and some
can also discover the Access Control List a Filtering Device is forcing on the protected network.
4 bit
Version
4 bit
Header
Length
8-bit type of service
(TOS)=0
16-bit total length ( in bytes )
16-bit identification
3 bit
Flags
13-bit Fragment Offset
8-bit time to live
( TTL )
8-bit protocol=1
(ICMP)
16-bit header checksum
32-bit source IP address
Options ( if any )
32-bit destination IP address
20 bytes
0
8
16
31
4
Figure 5: The IP Header
3.1 IP Packets with bad IP headers fields generating ICMP Parameter Problem
error message back from probed machines
An ICMP Parameter Problem error message is sent when a router (must generate this message)
or a host (should generate this message) process a datagram and finds a problem with the IP
header parameters. It is only sent if the error caused the datagram to be discarded.
The Parameter Problem message is generated usually for any error not specifically covered by
another ICMP message.
We have some variants with this type of Host Detection. We send an illegal forged packet(s) with
bad IP header field(s), that no specific ICMP error message is sent for this field(s). It will force a
Host to send back an ICMP Parameter Problem Error message Code 0 (When code 0 is used,