HostedDB - Dedicated UNIX Servers

ICMP_Scanning_14
ICMP Usage in Scanning 14 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com 3.0 Host Detection using ICMP Error Messages generated from the probed machines We can use various methods in order to elicit an ICMP Error Message back from a probed machine and discover its existence. Some of the methods described here are:   · Mangling IP headers · Using non-valid field values in the IP header o Using valid field values in the IP header · Abusing Fragmentation · The UDP Scan Host Detection method With the first method we are using bad IP headers in the IP packet that would generate an ICMP Parameter Problem error back from the probed machine to the source IP address of the probing packet. The second method use non-valid field values in the IP header in order to force the probed machine to generate ICMP Destination Unreachable error message back to the prober. The third method discussed uses fragmentation to trigger an ICMP Fragment Reassembly Time Exceeded error message from the probed machine. The last method uses the UDP Scan method to elicit ICMP Port Unreachable error message back from a closed UDP port(s) on the probed host(s). When using some of those methods we can determine if a filtering device is present and some can also discover the Access Control List a Filtering Device is forcing on the protected network.   4 bit Version 4 bit Header Length 8-bit type of service (TOS)=0 16-bit total length ( in bytes ) 16-bit identification 3 bit Flags 13-bit Fragment Offset 8-bit time to live ( TTL ) 8-bit protocol=1 (ICMP) 16-bit header checksum 32-bit source IP address Options ( if any ) 32-bit destination IP address 20 bytes 0 8 16 31 4 Figure 5: The IP Header 3.1 IP Packets with bad IP headers fields – generating ICMP Parameter Problem error message back from probed machines An ICMP Parameter Problem error message is sent when a router (must generate this message) or a host (should  generate this message) process a datagram and finds a problem with the IP header parameters. It is only sent if the error caused the datagram to be discarded.   The Parameter Problem message is generated usually for any error not specifically covered by another ICMP message.   We have some variants with this type of Host Detection. We send an illegal forged packet(s) with bad IP header field(s), that no specific ICMP error message is sent for this field(s). It will force a Host to send back an ICMP Parameter Problem Error message Code 0 (When code 0 is used,