HostedDB - Dedicated UNIX Servers
ICMP_Scanning_18
ICMP Usage in Scanning 18 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com 3.2.1.1.1 Detecting if a Filtering Device is present   A packet sent with a protocol value, which does not represent a valid protocol number, should elicit an ICMP Destination Unreachable – Protocol Unreachable from the probed machine. Since this value is not used (and not valid) all hosts probed, unless filtered or are AIX, HP-UX, Digital UNIX machines, should send this reply. If a reply is not received we can assume that a filtering device prevents our packet from reaching our destination or from the reply to reach us back. 3.2.1.2 Using all combination of the IP protocol filed values The difference with this variant is that we use all of the combinations available for the IP protocol field – since the IP protocol field has only 8 bits in length, there could be 256 combinations available.   NMAP 2.54 Beta 1 has integrated this variant and Fyodor have named it - IP Protocol scan. NMAP sends raw IP packets without any further protocol header to each specified protocol on the target machine. If an ICMP Protocol Unreachable error message is received, the protocol is not in use. Otherwise it is assumed it is opened (or a filtering device is dropping our packets).   If our goal was Host Detection only, than using the NMAP implementation would be just fine. But if we wish to use this scan type for other purposes, such as ACL detection, than we would need the protocol header as well. We can determine if a filtering device is present quite easily using this scan method. If a large number of protocols (non valid values could be among those) seems to be “opened”/used (not receiving any reply – ICMP Protocol Unreachable) than we can assume a filtering device is blocking our probes (if using a packet with the protocol headers as well). If the filtering device is blocking the ICMP Protocol Unreachable error messages initiated from the protected network towards the Internet than all of the 256 possible protocol values would be seemed “opened”/used.   With the current implementation with NMAP the 256 possible protocol values should be “opened” when a scan is performed against a machine inside a protected network, because a packet filter firewall (or other kind of firewall) should block the probe since it lacks information to validate the traffic against its rule base (information in the protocol headers such as ports for example). In the next example I have used NMAP 2.54 Beta 1 in order to scan a Microsoft Windows 2000 Professional machine:   [root@catman /root]# nmap -vv -sO 192.168.1.1 Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host   (192.168.1.1) appears to be up ... good. Initiating FIN,NULL, UDP, or Xmas stealth scan against   (192.168.1.1) The UDP or stealth FIN/NULL/XMAS scan took 4 seconds to scan 254 ports. Interesting protocols on   (192.168.1.1): (The 250 protocols scanned but not shown below are in state: closed) Protocol State Name 1 open icmp 2 open igmp 6 open tcp 17 open udp Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds