HostedDB - Dedicated UNIX Servers
ICMP_Scanning_31
ICMP Usage in Scanning 31 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com 10:03:33.860689 eth0 < 192.168.1.1 > localhost.localdomain: icmp: echo reply 4500 0020 2010 0000 8001 9776 c0a8 0101 c0a8 0105 0000  de3e 6102 f658 0183 c8e2 0000 0000 0000 0000 0000 0000 0000 The Microsoft Windows 2000 Professional operating system changed the code value on the ICMP ECHO Reply to 0. I have tested this method with IBM AIX 4.1, SUN Solaris 2.6 & 2.7, OpenBSD, NetBSD, FreeBSD and they produced the same results as the LINUX box did. Microsoft Windows NT 4.0 Server SP 6a, Microsoft Windows 98 SE produced the same behavior as the Microsoft Windows 2000 Professional.   We have a method to differentiate between a Microsoft Windows box to the rest of the world. 6.2 ICMP error Message Quenching RFC 1812 suggests limiting the rate at which various error messages are sent. Only few operating systems are known to follow this RFC. An attacker can use this to send UDP packets to a random, high UDP port and count the number of ICMP Destination unreachable messages received within a given amount of time. 6.3 ICMP Message Quoting Every ICMP error message includes the Internet Protocol (IP) Header and at least the first 8 data bytes of the datagram that triggered the error; more than 8 octets (bytes) may be sent. Except for LINUX and Solaris almost all implementations will quote 8 bytes of the datagram that triggered the error message. Solaris sends more information than is needed and Linux even more. The following example is a snort log of a LINUX machine (LINUX 6.1 Kernel 2.2.12) that have generated a Port Unreachable ICMP error message: 03/01-12:29:39.259510 192.168.5.5 -> 192.168.5.1 ICMP TTL:255 TOS:0xDE ID:149 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE 00 00 00 00 45 7E 04 32 00 0D 00 00 89 70 A1 7A   ....E~.2.....p.z C0 A8 05 01 C0 A8 05 05 FE 94 6C 95 59 F2 D9 3C   ..........l.Y..< 8D AA B6 0B 2B 80 CB 8B 89 4D C9 59 19 D6 0F A0   ....+....M.Y.... D3 67 D1 0F CB ED 84 8C 91 7E 24 00 70 B9 D7 E4   .g.......~$.p... 6E AA 91 8F CF 5C ED 86 1B A2 40 1D 93 10 73 4B   n....\....@...sK 49 5B A8 D5 91 99 47 F0 15 6B EB 8B 21 2D A2 15   I[....G..k..!-.. A1 97 4C AD 6D A1 2B E5 15 07 86 77 3A 85 E9 6E   ..L.m.+....w:..n 58 87 05 73 6D FB E9 05 29 73 DD B4 C0 EA 98 1D   X..sm...)s...... 6E 44 8F 47 85 A4 89 E6 CF 64 18 B5 FD 31 19 C0   nD.G.....d...1.. C0 8A 8E CB 60 B0 D5 F5 79 57 81 DD 78 0B 1B EF   ....`...yW..x... CE 8A E5 AC 46 D4 E3 91 6C 24 80 59 CC 00 C4 AB   ....F...l$.Y.... 86 CC 39 FC AD B1 AF 3F 16 B1 6D 9C 47 5D 85 F5   ..9....?..m.G].. FC E3 CC 01 0E DC CC 48 E4 B6 0B 0E E5 08 A5 41   .......H.......A 9A D9 45 B9 7A 37 13 31 C7 96 F2 42 2E 20 95 21   ..E.z7.1...B. .!