ICMP_Scanning_31
ICMP Usage in Scanning
31
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
10:03:33.860689 eth0 < 192.168.1.1 > localhost.localdomain: icmp: echo
reply
4500 0020 2010 0000 8001 9776 c0a8 0101
c0a8 0105 0000 de3e 6102 f658 0183 c8e2
0000 0000 0000 0000 0000 0000 0000
The Microsoft Windows 2000 Professional operating system changed the code value on the
ICMP ECHO Reply to 0.
I have tested this method with IBM AIX 4.1, SUN Solaris 2.6 & 2.7, OpenBSD, NetBSD, FreeBSD
and they produced the same results as the LINUX box did.
Microsoft Windows NT 4.0 Server SP 6a, Microsoft Windows 98 SE produced the same behavior
as the Microsoft Windows 2000 Professional.
We have a method to differentiate between a Microsoft Windows box to the rest of the world.
6.2 ICMP error Message Quenching
RFC 1812 suggests limiting the rate at which various error messages are sent.
Only few operating systems are known to follow this RFC.
An attacker can use this to send UDP packets to a random, high UDP port and count the number
of ICMP Destination unreachable messages received within a given amount of time.
6.3 ICMP Message Quoting
Every ICMP error message includes the Internet Protocol (IP) Header and at least the first 8 data
bytes of the datagram that triggered the error; more than 8 octets (bytes) may be sent.
Except for LINUX and Solaris almost all implementations will quote 8 bytes of the datagram that
triggered the error message. Solaris sends more information than is needed and Linux even
more.
The following example is a snort log of a LINUX machine (LINUX 6.1 Kernel 2.2.12) that have
generated a Port Unreachable ICMP error message:
03/01-12:29:39.259510 192.168.5.5 -> 192.168.5.1
ICMP TTL:255 TOS:0xDE ID:149
DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE
00 00 00 00 45 7E 04 32 00 0D 00 00 89 70 A1 7A ....E~.2.....p.z
C0 A8 05 01 C0 A8 05 05 FE 94 6C 95 59 F2 D9 3C ..........l.Y..<
8D AA B6 0B 2B 80 CB 8B 89 4D C9 59 19 D6 0F A0 ....+....M.Y....
D3 67 D1 0F CB ED 84 8C 91 7E 24 00 70 B9 D7 E4 .g.......~$.p...
6E AA 91 8F CF 5C ED 86 1B A2 40 1D 93 10 73 4B n....\....@...sK
49 5B A8 D5 91 99 47 F0 15 6B EB 8B 21 2D A2 15 I[....G..k..!-..
A1 97 4C AD 6D A1 2B E5 15 07 86 77 3A 85 E9 6E ..L.m.+....w:..n
58 87 05 73 6D FB E9 05 29 73 DD B4 C0 EA 98 1D X..sm...)s......
6E 44 8F 47 85 A4 89 E6 CF 64 18 B5 FD 31 19 C0 nD.G.....d...1..
C0 8A 8E CB 60 B0 D5 F5 79 57 81 DD 78 0B 1B EF ....`...yW..x...
CE 8A E5 AC 46 D4 E3 91 6C 24 80 59 CC 00 C4 AB ....F...l$.Y....
86 CC 39 FC AD B1 AF 3F 16 B1 6D 9C 47 5D 85 F5 ..9....?..m.G]..
FC E3 CC 01 0E DC CC 48 E4 B6 0B 0E E5 08 A5 41 .......H.......A
9A D9 45 B9 7A 37 13 31 C7 96 F2 42 2E 20 95 21 ..E.z7.1...B. .!