HostedDB - Dedicated UNIX Servers
ICMP_Scanning_29
ICMP Usage in Scanning 29 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com 6.0 The usage of ICMP in the OS Finger Printing Process Finger Printing is the art of Operating System Detection.   A malicious computer attacker needs few pieces of information before lunching an attack. First, a target, a host detected using a host detection method. The next piece of information would be the services that are running on that host. This would be done with one of the Port Scanning methods. The last piece of information would be the operating system used by the host.   The information would allow the malicious computer attacker to identify if the targeted host is vulnerable to a certain exploit aimed to a certain service version running on a certain operating system. I have outlined in this section the ICMP methods for this type of scan. One method is new – “Using wrong codes within ICMP datagrams”.   6.1 Using Wrong Codes within ICMP datagrams An interesting detail I have discovered during the lab experiments I did when I researched ICMP scanning is when a wrong code is sent along with the correct type of ICMP message, different operating systems would send different codes back. In the next example I have sent an ICMP Timestamp Request with code 38 instead of code 0 to a LINUX machine running Redhat LINUX 6.2 Kernel 2.2.14 (it was experimented with kernel 2.2.12 as well). The LINUX machine processed the packet and sent the reply, with the code value set to 38. I was thinking that a check for the validity of the code field should be done on the targeted machine. Obviously I was wrong. [root@stan /root]# icmpush -vv -tstamp -c 38 192.168.5.5 -> Outgoing interface = 192.168.5.1 -> ICMP total size = 20 bytes -> Outgoing interface = 192.168.5.1 -> MTU = 1500 bytes -> Total packet size (ICMP + IP) = 40 bytes ICMP Timestamp Request packet sent to 192.168.5.5 (192.168.5.5) Receiving ICMP replies ... kenny.sys-security.com -> Timestamp Reply transmited at 18:06:40 icmpush: Program finished OK 02/14-18:10:31.951977 192.168.5.1 -> 192.168.5.5 ICMP TTL:254 TOS:0x0 ID:13170 TIMESTAMP REQUEST 1D 04 9D 20 03 78 8C 8B 00 00 00 00 00 00 00 00   ... .x.......... 02/14-18:10:31.952233 192.168.5.5 -> 192.168.5.1 ICMP TTL:255 TOS:0x0 ID:220 TIMESTAMP REPLY 1D 04 9D 20 03 78 8C 8B 03 75 03 00 03 75 03 00   ... .x...u...u.. 8C 21 01 00 8C 21 .!...!