ICMP_Scanning_7
ICMP Usage in Scanning
7
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
For Windows a notable ICMP sweep tool is Pinger from Rhino98, able of doing what fping and
NMAP do regarding this kind of scan.
Trying to resolve the names of the probed machines may discover the attackers IP number used
for the probing, using the log of the authoritative DNS server.
The next example demonstrates the usage of NMAP to perform an ICMP sweep9 against 20 IP
addresses. Our test lab contains two LINUX machines running Redhat Linux v6.1, Kernel 2.2.12
(Stan & Kenny) and one Windows NT WRKS SP4 (Cartman). As it can be seen all of the
machines answered the probe:
[root@stan /root]# nmap -sP -PI 192.168.5.1-20
Starting nmap V. 2.3BETA13 by fyodor@insecure.org (
www.insecure.org/nmap/ )
Host stan.sys-security.com (192.168.5.1) appears to be up.
Host kenny.sys-security.com (192.168.5.5) appears to be up.
Host cartman.sys-security.com (192.168.5.15) appears to be up.
Nmap run completed -- 20 IP addresses (3 hosts up) scanned in 3 seconds
If we wish to avoid the automatic resolving done by NMAP we should use the n option to
eliminate it.
ICMP sweeps are easily detected by IDS (Intrusion Detection Systems) whether launched in the
regular way, or if used in a parallel way.
Countermeasure: Block ICMP ECHO requests coming from the Internet towards your network at
your border router and/or Firewall.
2.3 Broadcast ICMP
A simpler way to map the targeted network for alive hosts is by sending an ICMP ECHO request
to the broadcast or the network address of the targeted network.
The request would be broadcasted to all hosts on the targeted network. The alive hosts will send
an ICMP ECHO Reply to the attacker source IP address.
The malicious computer attacker has to send only one IP datagram to produce this behavior.
This technique of host detection is applicable only to the UNIX hosts of the targeted network.
Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request
aimed at the broadcast address or at the network address. They are configured not to answer
those queries out-of-the box (Microsoft Windows NT 4.0 SP4 and above, Microsoft Windows
2000). This is not an abnormal behavior as RFC 112210 states that if we send an ICMP ECHO
request to an IP Broadcast or IP Multicast addresses it may be silently discarded by a host.
8
The Rhino9 group no longer exists. Their tools are available from a number of sites on the Internet to handle.
9
The sP PI options enable NMAP to perform only an ICMP Sweep. The default behavior when using the sP option is
different and includes the usage of TCP ACK host detection technique as well.
10
RFC 1122: Requirements for Internet Hosts - Communication Layers, http://www.ietf.org/rfc/rfc1122.txt.