ICMP_Scanning_19
ICMP Usage in Scanning
19
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
A tcpdump trace of some of the communication exchanged:
17:44:45.651855 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-50
0 (ttl 38, id 29363)
17:44:45.652169 eth0 < 192.168.1.1 > localhost.localdomain: icmp:
192.168.1.1 protocol 50 unreachable Offending pkt:
localhost.localdomain > 192.168.1.1: ip-proto-50 0 (ttl 38, id 29363)
(ttl 128, id 578)
17:44:45.652431 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-
133 0 (ttl 38, id 18)
17:44:45.652538 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-
253 0 (ttl 38, id 36169)
17:44:45.652626 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-92
0 (ttl 38, id 26465)
17:44:45.652727 eth0 < 192.168.1.1 > localhost.localdomain: icmp:
192.168.1.1 protocol 133 unreachable Offending pkt:
localhost.localdomain > 192.168.1.1: ip-proto-133 0 (ttl 38, id 18)
(ttl 128, id 579)
17:44:45.652760 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-
143 0 (ttl 38, id 14467)
17:44:45.652899 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-30
0 (ttl 38, id 30441)
17:44:45.652932 eth0 < 192.168.1.1 > localhost.localdomain: icmp:
192.168.1.1 protocol 253 unreachable Offending pkt:
localhost.localdomain > 192.168.1.1: ip-proto-253 0 (ttl 38, id 36169)
(ttl 128, id 580)
3.2.2 ACL Detection using the Protocol field
First we need to determine if a filtering device is present using a non-valid (not used) protocol
number probe. If a filtering device exists then no answer (ICMP Protocol Unreachable) will be
received from the probed machine, assuming it is not AIX, HP-UX or Digital UNIX17.
If a certain protocol were not allowed through the filtering device we would not receive any ICMP
error message from the probed machine. Probing for all combinations of protocols and ports
against an IP range of a targeted network using non-valid and valid protocol values can
determine the ACL a filtering device is forcing on the protected network, along with the topology
map of a targeted network (hosts reachable from the Internet).
A reply would not be generated if:
·
The Filtering Device filters the Protocol we are using
·
The Filtering Device is filtering the specific port we are using for the probe.
·
The Filtering Device blocks ICMP Destination Unreachable - Protocol Unreachable error
messages initiated from the protected network destined to the Internet. In our case, the
filtering device may be blocking the specific host we are probing for outgoing ICMP
Destination Unreachable - Protocol Unreachable error messages.
Note: We can use this method for ACL detection but if the protocol we are using is not used on
the target machine it should be blocked on the filtering device. Than, only opened TCP/UDP ports
and allowed ICMP traffic could traverse the filtering device. if that kind of traffic is allowed we can
have better ACL detection solutions then we outlined here.
17
You can determine this using OS finger printing methods.