HostedDB - Dedicated UNIX Servers
ICMP_Scanning_22
ICMP Usage in Scanning 22 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com Fyodor has implemented a threshold with NMAP 2.3 BETA 13, so when doing a UDP scan and not receiving an answer from a certain number of ports, it would assume a filtering device is monitoring the traffic, rather than reporting those ports as opened.   3.4.1 A Better Host Detection Using UDP Scan We will take the UDP scan method and tweak it a bit for our needs. We know that a closed UDP port will generate an ICMP Port Unreachable error message indicating the state of the port - closed UDP port. We will choose a UDP port that should be definitely closed (according to the IANA list of assigned ports ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers). For example we can use port 0 (but it would reveal our probe pretty easily).   Based on the fact that sending a UDP datagram to a closed port should elicit an ICMP Port Unreachable, we would send one datagram to the port we have chosen, than: · If no filtering device is present we will receive an ICMP Port Unreachable error message, which will indicate that the Host is alive.   · If no answer is given – a filtering device is covering that port. In the next example I have used the HPING219 tool to send one UDP datagram to host 192.168.5.5 port 50, which was closed: [root@stan /root]# hping2 -2 192.168.5.5 -p 50 -c 1 default routing not present HPING 192.168.5.5 (eth0 192.168.5.5): udp mode set, 28 headers + 0 data bytes ICMP Port Unreachable from 192.168.5.5   (kenny.sys-security.com) --- 192.168.5.5 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms -*> Snort! <*- Version 1.5 By Martin Roesch (roesch@clark.net, www.clark.net/~roesch) Kernel filter, protocol ALL, raw packet socket Decoding Ethernet on interface eth0 03/12-12:54:47.274096 192.168.5.1:2420 -> 192.168.5.5:50 UDP TTL:64 TOS:0x0 ID:57254 Len: 8 03/12-12:54:47.274360 192.168.5.5 -> 192.168.5.1 ICMP TTL:255 TOS:0xC0 ID:0 DESTINATION UNREACHABLE: PORT UNREACHABLE 00 00 00 00 45 00 00 1C DF A6 00 00 40 11 0F D4   ....E.......@... C0 A8 05 01 C0 A8 05 05 09 74 00 32 00 08 6A E1   .........t.2..j. We can use the port we have chosen, or a list of UDP ports that are likely not being used, and query all the IP range of an attacked network. Getting a reply back would reveal a live host. No reply would mean a filtering device is covering those hosts UDP traffic, and probably other protocols as well.                                                  19 HPING2 written by antirez, http://www.kyuzz.org/antirez/hping/ .