ICMP_Scanning_22
ICMP Usage in Scanning
22
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
Fyodor has implemented a threshold with NMAP 2.3 BETA 13, so when doing a UDP scan and
not receiving an answer from a certain number of ports, it would assume a filtering device is
monitoring the traffic, rather than reporting those ports as opened.
3.4.1 A Better Host Detection Using UDP Scan
We will take the UDP scan method and tweak it a bit for our needs. We know that a closed UDP
port will generate an ICMP Port Unreachable error message indicating the state of the port -
closed UDP port. We will choose a UDP port that should be definitely closed (according to the
IANA list of assigned ports ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers). For example
we can use port 0 (but it would reveal our probe pretty easily).
Based on the fact that sending a UDP datagram to a closed port should elicit an ICMP Port
Unreachable, we would send one datagram to the port we have chosen, than:
·
If no filtering device is present we will receive an ICMP Port Unreachable error
message, which will indicate that the Host is alive.
·
If no answer is given a filtering device is covering that port.
In the next example I have used the HPING219 tool to send one UDP datagram to host
192.168.5.5 port 50, which was closed:
[root@stan /root]# hping2 -2 192.168.5.5 -p 50 -c 1
default routing not present
HPING 192.168.5.5 (eth0 192.168.5.5): udp mode set, 28 headers + 0 data
bytes
ICMP Port Unreachable from 192.168.5.5 (kenny.sys-security.com)
--- 192.168.5.5 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
-*> Snort! <*-
Version 1.5
By Martin Roesch (roesch@clark.net, www.clark.net/~roesch)
Kernel filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth0
03/12-12:54:47.274096 192.168.5.1:2420 -> 192.168.5.5:50
UDP TTL:64 TOS:0x0 ID:57254
Len: 8
03/12-12:54:47.274360 192.168.5.5 -> 192.168.5.1
ICMP TTL:255 TOS:0xC0 ID:0
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 1C DF A6 00 00 40 11 0F D4 ....E.......@...
C0 A8 05 01 C0 A8 05 05 09 74 00 32 00 08 6A E1 .........t.2..j.
We can use the port we have chosen, or a list of UDP ports that are likely not being used, and
query all the IP range of an attacked network. Getting a reply back would reveal a live host. No
reply would mean a filtering device is covering those hosts UDP traffic, and probably other
protocols as well.
19
HPING2 written by antirez, http://www.kyuzz.org/antirez/hping/ .