HostedDB - Dedicated UNIX Servers
ICMP_Scanning_7
ICMP Usage in Scanning 7 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com For Windows a notable ICMP sweep tool is Pinger from Rhino98, able of doing what fping and NMAP do regarding this kind of scan. Trying to resolve the names of the probed machines may discover the attackers IP number used for the probing, using the log of the authoritative DNS server. The next example demonstrates the usage of NMAP to perform an ICMP sweep9 against 20 IP addresses. Our test lab contains two LINUX machines running Redhat Linux v6.1, Kernel 2.2.12 (Stan & Kenny) and one Windows NT WRKS SP4 (Cartman). As it can be seen all of the machines answered the probe: [root@stan /root]# nmap -sP -PI 192.168.5.1-20 Starting nmap V. 2.3BETA13 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host stan.sys-security.com (192.168.5.1) appears to be up. Host kenny.sys-security.com (192.168.5.5) appears to be up. Host cartman.sys-security.com (192.168.5.15) appears to be up. Nmap run completed -- 20 IP addresses (3 hosts up) scanned in 3 seconds If we wish to avoid the automatic resolving done by NMAP we should use the –n option to eliminate it. ICMP sweeps are easily detected by IDS (Intrusion Detection Systems) whether launched in the regular way, or if used in a parallel way. Countermeasure: Block ICMP ECHO requests coming from the Internet towards your network at your border router and/or Firewall. 2.3 Broadcast ICMP A simpler way to map the targeted network for alive hosts is by sending an ICMP ECHO request to the broadcast or the network address of the targeted network. The request would be broadcasted to all hosts on the targeted network. The alive hosts will send an ICMP ECHO Reply to the attacker source IP address.   The malicious computer attacker has to send only one IP datagram to produce this behavior.   This technique of host detection is applicable only to the UNIX hosts of the targeted network. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address. They are configured not to answer those queries out-of-the box (Microsoft Windows NT 4.0 SP4 and above, Microsoft Windows 2000). This is not an abnormal behavior as RFC 112210 states that if we send an ICMP ECHO request to an IP Broadcast or IP Multicast addresses it may be silently discarded by a host.                                                  8 The Rhino9 group no longer exists. Their tools are available from a number of sites on the Internet to handle. 9 The –sP –PI options enable NMAP to perform only an ICMP Sweep. The default behavior when using the –sP option is     different and includes the usage of TCP ACK host detection technique as well. 10 RFC 1122: Requirements for Internet Hosts - Communication Layers, http://www.ietf.org/rfc/rfc1122.txt.