ICMP_Scanning_6
ICMP Usage in Scanning
6
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
ID:5721
Seq:1 ECHO
89 D7 8E 38 27 63 0B 00 08 09 0A 0B 0C 0D 0E 0F ...8'c..........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
!"#$%&'()*+,-./
30 31 32 33 34 35 36 37
01234567
01/26-13:16:25.746638 192.168.5.5 -> 192.168.5.1
ICMP TTL:255 TOS:0x0 ID:6072
ID:5721
Seq:1 ECHO REPLY
89 D7 8E 38 27 63 0B 00 08 09 0A 0B 0C 0D 0E 0F ...8'c..........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
!"#$%&'()*+,-./
30 31 32 33 34 35 36 37
01234567
Checksum
Sequence Number
Identifier
Code = 0
Type
0
4
8
16
31
Data...
Figure 2: ICMP ECHO Request & Reply message format
Countermeasure: Block ICMP ECHO requests coming from the Internet towards your network at
your border router and/or Firewall5.
2.2 ICMP Sweep
Querying multiple hosts using ICMP ECHO is referred to as ICMP Sweep (or Ping Sweep).
For a small to midsize network Ping is an acceptable solution to this kind of host detection, but
with large networks (such as Class A, or a full Class B) this kind of scan is fairly slow mainly
because Ping waits for a reply (or a time out to be reached) from the probed host before
proceeding to the next one.
fping6 is a UNIX utility which sends parallel mass ECHO requests in a round robin fashion
enabling it to be significantly faster than the usual Ping utility. It can also be fed with IP addresses
with its accompanied tool gping. gping is used to generate a list of IP addresses which would be
later fed into fping, directly or from a file, to perform the ICMP sweep. fping is also able to resolve
hostnames of the probed machines if using the d option.
Another UNIX tool that is able of doing an ICMP sweep in parallel, resolve the hostnames of the
probed machines, save it to a file and a lot more is NMAP7, written by Fyodor.
5
It is better to filter unwanted traffic at your border router, reducing traffic rates for your firewall.
/
src
/
Unix
/
pub
/
edu
.
tamu
.
ftp
://
http
5
7
http://www.insecure.org