HostedDB - Dedicated UNIX Servers

nst_5 5 2.3  Non-ECHO ICMP   Blocking incoming ICMP ECHO requests is not enough. We can use non-ECHO ICMP protocols for gathering various information about a system. Good examples are ICMP type 13 messages (TIMESTAMP), and ICMP type 17 messages (ADDRESS MASK REQUEST). ICMP timestamp request and reply allow a system to query another for the current time. The ICMP address mask request (and reply) is intended for diskless systems to obtain its subnet mask at bootstrap time. We can use it to request the netmask of a particular device. We can use the icmpush & icmpquery tools to perform this kind of scanning. Many firewalls are configured to block only ICMP ECHO traffic, and in this case it makes the non-ECHO requests a valid form of host identification. Even if ICMP traffic is blocked on the border router or firewall, there are additional techniques that can be used to determine which systems are actually alive, although these techniques are not as accurate as a normal ICMP Sweep. 2.4 TCP Sweeps The TCP connection establishment process is called “the three way handshake”, and is combined of three segments. 1.    A client sends a SYN segment specifying the port number of a server that the client wants to connect to, and the client initial sequence number. 2.    If the server’s service (or port) is active the server will respond with its own SYN segment containing the server’s initial sequence number. The server will also acknowledge the client’s SYN by ACKing the client’s SYN+1. If the port is not active, the server will send a RESET segment, which will reset the connection. 3.    The client will acknowledge the server’s SYN by ACKing the servers ISN+1. When will a RESET be sent? – Whenever an arriving segment does not appear correct to the referenced connection. Referenced connection means the connection specified by the destination IP address and port number, and the source IP address and the port number 5. With the TCP Sweep technique, instead of sending ICMP ECHO request packets we send TCP ACK or TCK SYN packets (depending if we have root access or not) to the target network. The port number can be selected to meet our needs. Usually a good pick would be one of the following ports – 21 / 22 / 23 / 25 / 80 (especially if a firewall is protecting the targeted network). Receiving a response is a good indication that something is up there. The response depends on the target’s operating system, the nature of the packet sent and any firewalls, routers or packet-filtering devices used.   Bear in mind that firewalls can spoof a RESET packet for an IP address, so TCP Sweeps may not be reliable. 5 RFC 793, http://www.ietf.org/rfc/rfc0793.txt