HostedDB - Dedicated UNIX Servers
ICMP_Scanning_17
ICMP Usage in Scanning 17 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com If we are not getting any reply than one of three possibilities: · The Filtering Device disallows packets with the kind of bad field we are using. · The Filtering Device is filtering the Type of ICMP message we are using. · The Filtering Device blocks ICMP Parameter Problem error messages initiated from the protected network destined to the Internet. 3.1.1.2 How we determine the ACL (TCP or UDP Protocol embedded inside)? We can probe for every combination of protocol and port values inside an IP packet with bad IP header(s). If we would receive an answer it would indicate that the protocol and port we used are allowed to the probed host from the Internet, and the ICMP Parameter Problem error message is allowed from the destination host in the protected network out to the Internet. It would also indicate that the filtering device used on the targeted network is not validating the correctness of the fields we have used in order to elicit the ICMP Parameter Problem error message.   If the embedded protocol were either TCP or UDP, a reply would not be generated if: · The Filtering Device disallows packets with the kind of bad field we are using. · The Filtering Device filters the Protocol used. · The Filtering Device is filtering the specific port we are using for the probe. · The Filtering Device blocks ICMP Parameter Problem error messages initiated from the protected network destined to the Internet. In our case, the filtering device may be blocking the specific host we are probing for outgoing ICMP Parameter Problem datagrams. Countermeasure: Block outgoing ICMP Parameter Problem from the protected network to the Internet on the Firewall & on the border Router. Check with the manufacture of your filtering device which fields it validates on the IP header. 3.2 IP Packets with non-valid field values     This Host Detection method is based on different IP header fields within the crafted IP packet that would have non-valid field values, which would trigger an ICMP Destination Unreachable Error message back from the probed machines. Note that some hosts (AIX, HP-UX, Digital UNIX) may not send ICMP Protocol Unreachable messages. 3.2.1 The Protocol Field example 3.2.1.1 Using non-Valid (not used) IP protocol values One such field within the IP header is the protocol field. If we will put a value, which does not represent a valid protocol number, the probed machine would elicit an ICMP Destination Unreachable – Protocol Unreachable error message back to the probed machine. By sending this kind of crafted packets to all IP addresses within the IP address range of the probed network we can map the hosts that are directly connected to the Internet (assuming that no filtering device is present, or filter the specific traffic).