ICMP_Scanning_20
ICMP Usage in Scanning
20
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
Countermeasure: Block outgoing ICMP Protocol Unreachable error messages coming from the
protected network to the Internet on your Firewall and/or Border Router. If you are using a firewall
check that your firewall block protocols which are not supported (deny all stance).
3.3 Host Detection using IP fragmentation to elicit Fragment Reassembly Time
Exceeded ICMP error message.
When a host receives a fragmented datagram with some of its pieces missing, and does not get
the missing parts within a certain amount of time the host will discard the packet and generate an
ICMP Fragment Reassembly Time Exceeded error message back to the sending host.
We can use this behavior as a Host Detection method, by sending fragmented datagrams with
missing fragments to a probed host, and wait for an ICMP Fragment Reassembly Time Exceeded
error message to be received from a live host(s), if any.
When we are using this method against all of the IP range of a probed network, we will discover
the network topology of that targeted network.
3.3.1 ACL Detection using IP fragmentation
This method can be used not only to map the entire topology map of the targeted network, but
also to determine the ACL a firewall or a filtering device is forcing on the protected network.
Simply using all combinations of TCP and UDP with different ports, with the IP addresses from
the IP range of the probed network will do it. When we receive a reply it means a host we queried
is alive, the port we have used is opened on that host, and the ACL allows the protocol type and
the port that was used to get to the probed machine (and the ICMP Fragment Reassembly Time
Exceeded error message back from the probed machine to the Internet).
If we were not getting any reply back from the probed machine it can mean:
·
The Filtering Device filters the Protocol used.
·
The Filtering Device is filtering the specific port we are using for the probe.
·
The Filtering Device blocks ICMP Fragment Reassembly Time Exceeded error messages
initiated from the protected network destined to the Internet. In our case, the filtering
device may be blocking the specific host we are probing for outgoing ICMP Parameter
Problem datagrams.
3.3.1.1 An Example with UDP (Filtering Device Detection)
Since UDP is a stateless protocol it may be better suited for our needs here. The first datagram
would be fragmented including enough UDP information in the first fragmented datagram that
would be enough to verify the packet against a Firewalls Rule base. The second part of the
datagram would not be sent. It would force any host that gets such a packet to send us back an
ICMP Fragment Reassembly Time Exceeded error message when the time for reassembly
exceeds.
If the port we were using were an open port, than the ICMP Fragment Reassembly Time
Exceeded error message would be generated. If the port were closed then an ICMP Port
Unreachable error message would be produced.