nst_4
4
2.0 PING Sweeps
2.1 ICMP sweeps (ICMP ECHO requests)
We can use ICMP packets to determine whether a target IP address is alive or not, by simply
sending an ICMP ECHO request (ICMP type 8) packets to the targeted system and waiting to
see if an ICMP ECHO reply (ICMP type 0) is received. If an ICMP ECHO reply is received, it
means that the target is alive; No response means the target is down.
Querying multiple hosts using this method is referred to as Ping Sweep. Ping Sweeps is the
most basic step in mapping out a network.
This is an older approach to mapping, and the scan is fairly slow.
Some of the tools used for this kind of scan include –
UNIX:
·
fping & gping 2
·
nmap 3
Windows:
·
Pinger from Rhino9 4
Pinger is one of the fastest ICMP sweep scanners. Its advantage lies in its ability to
send multiple ICMP ECHO packets concurrently and wait for the response. It also
allows you to resolve host names and save the output to a file.
Blocking ICMP sweeps is rather easy, simply by not allowing ICMP ECHO requests into your
network from the void.
If you are still not convinced that you should block ICMP ECHO requests, bear in mind that
you can also perform Broadcast ICMP’s.
2.2 Broadcast ICMP
Sending ICMP ECHO request to the network or/and broadcast addresses will produce all the
information you need for mapping a targeted network in even a simpler way.
The request will be broadcast to all alive hosts on the target network, and they will send ICMP
ECHO reply to the attacker source IP after only one or two packets have been sent by him.
Here we can first distinguish between Unix and Windows machines. While Unix machines
often still answers to requests directed to the network address (the answer will be the fully
qualified network address), Windows machines will ignore it.
2
ftp.tamu.edu/pub/Unix/src/
3
http://www.insecure.org
4
http://207.98.195.250/software