ICMP_Scanning_29
ICMP Usage in Scanning
29
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
6.0 The usage of ICMP in the OS Finger Printing Process
Finger Printing is the art of Operating System Detection.
A malicious computer attacker needs few pieces of information before lunching an attack. First, a
target, a host detected using a host detection method. The next piece of information would be the
services that are running on that host. This would be done with one of the Port Scanning
methods. The last piece of information would be the operating system used by the host.
The information would allow the malicious computer attacker to identify if the targeted host is
vulnerable to a certain exploit aimed to a certain service version running on a certain operating
system.
I have outlined in this section the ICMP methods for this type of scan. One method is new
Using wrong codes within ICMP datagrams.
6.1 Using Wrong Codes within ICMP datagrams
An interesting detail I have discovered during the lab experiments I did when I researched ICMP
scanning is when a wrong code is sent along with the correct type of ICMP message, different
operating systems would send different codes back.
In the next example I have sent an ICMP Timestamp Request with code 38 instead of code 0 to a
LINUX machine running Redhat LINUX 6.2 Kernel 2.2.14 (it was experimented with kernel 2.2.12
as well). The LINUX machine processed the packet and sent the reply, with the code value set to
38. I was thinking that a check for the validity of the code field should be done on the targeted
machine. Obviously I was wrong.
[root@stan /root]# icmpush -vv -tstamp -c 38 192.168.5.5
-> Outgoing interface = 192.168.5.1
-> ICMP total size = 20 bytes
-> Outgoing interface = 192.168.5.1
-> MTU = 1500 bytes
-> Total packet size (ICMP + IP) = 40 bytes
ICMP Timestamp Request packet sent to 192.168.5.5 (192.168.5.5)
Receiving ICMP replies ...
kenny.sys-security.com -> Timestamp Reply transmited at 18:06:40
icmpush: Program finished OK
02/14-18:10:31.951977 192.168.5.1 -> 192.168.5.5
ICMP TTL:254 TOS:0x0 ID:13170
TIMESTAMP REQUEST
1D 04 9D 20 03 78 8C 8B 00 00 00 00 00 00 00 00 ... .x..........
02/14-18:10:31.952233 192.168.5.5 -> 192.168.5.1
ICMP TTL:255 TOS:0x0 ID:220
TIMESTAMP REPLY
1D 04 9D 20 03 78 8C 8B 03 75 03 00 03 75 03 00 ... .x...u...u..
8C 21 01 00 8C 21
.!...!