ICMP_Scanning_16
ICMP Usage in Scanning
16
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
In my opinion Firewalls/Filtering Devices should check the validity of those fields used to elicit the
ICMP Parameter Problem error message and disallow this kind of traffic.
An example is given here using the ISIC tool written by Mike Frantzen16. ISIC sends randomly
generated packets to a target computer. Its primary uses are to stress test an IP stack, to find
leaks in a firewall, and to test the implementation of Intrusion Detection Systems and firewalls.
The user can specify how often the packets will be fragmented; have IP options, TCP options, an
urgent pointer, etc.
In the next example I have sent 20 IP Packets from a LINUX machine to a Microsoft Windows NT
WRKS 4 SP4 machine. The packets were not fragmented nor bad IP version numbers were sent.
The only weird thing sent inside the IP headers was random IP Header length, which have
produced ICMP Parameter Problem error message as I anticipated.
[root@stan packetshaping]# ./isic -s 192.168.5.5 -d 192.168.5.15 -p 20
-F 0 -V 0 -I 100
Compiled against Libnet 1.0
Installing Signal Handlers.
Seeding with 2015
No Maximum traffic limiter
Bad IP Version = 0%
Odd IP Header Length
= 100%
Frag'd Pcnt
= 0%
Wrote 20 packets in 0.03s @ 637.94 pkts/s
tcpdump trace:
12:11:05.843480 eth0 > kenny.sys-security.com > cartman.sys-
security.com: ip-proto-110 226 [tos 0xe6,ECT] (ttl 110, id 119,
optlen=24[|ip])
12:11:05.843961 eth0 P cartman.sys-security.com > kenny.sys-
security.com: icmp: parameter problem - octet 21 Offending pkt:
kenny.sys-security.com > cartman.sys-security.com: ip-proto-110 226
[tos 0xe6,ECT] (ttl 110, id 119, optlen=24[|ip]) (ttl 128, id 37776)
3.1.1 ACL Detection using IP Packets with bad IP headers fields
If we probe the entire IP range of the targeted network with all combinations of protocols and
ports, it would draw us the targeted network topology map, and will allow us to determine the ACL
of the Filtering Device (If present, and not blocking outgoing ICMP Parameter Problem Error
messages).
This, if the filtering device does not check the validity of the mangled IP header fields.
3.1.1.1 How we determine the ACL (ICMP Protocol embedded inside)?
When the embedded protocol is ICMP, we send various ICMP message types encapsulated
inside IP packets with bad IP header(s). If we receive a reply from a Destination IP address we
have a host that is alive and an ACL, which allows this type of message of ICMP to get to the
host who generated the error message (and the Parameter Problem ICMP error message is
allowed from the destination host to the Internet).
16
http://expert.cc.purdue.edu/~frantzen/