ICMP Usage in Scanning(1).pdf
(
5527 KB
)
Pobierz
ICMP Usage in Scanning
ICMP Usage in Scanning – The Complete Know How
Version 3.0
ICMP Usage in Scanning
The Complete Know-How
Ofir Arkin
Founder
The Sys-Security Group
http
://
www
.
sys
-
security
.
com
ofir@sys
-
security
.
com
Version 3.0
June 2001
1
Copyright © Ofir Arkin 2000-2001
http://www.sys-security.com
ICMP Usage in Scanning – The Complete Know How
Version 3.0
Trust No One
2
Copyright © Ofir Arkin 2000-2001
http://www.sys-security.com
ICMP Usage in Scanning – The Complete Know How
Version 3.0
Table of Contents
1.0 INTRODUCTION...................................................................................................... 11
Introduction to Version 1.0 ....................................................................................... 11
1.2 Introduction to Version 2.0 ................................................................................... 11
Introduction to Version 2.5 ....................................................................................... 12
Introduction to Version 3.0 ....................................................................................... 12
THE ICMP PROTOCOL........................................................................................... 13
The ICMP Specifications.......................................................................................... 13
2.1.1 Special Conditions with ICMP messages.......................................................... 13
ICMP
Messages....................................................................................................... 14
2.2.1
ICMP Error Messages....................................................................................... 17
2.2.1.1
Destination Unreachable (Type 3).............................................................. 18
2.2.1.1.1
Destination Unreachable – Fragmentation Needed but the Don’t
Fragment Bit was set........................................................................................... 19
2.2.1.1.2
Destination Unreachable - Communication with Destination
Network is Administratively Prohibited ................................................................ 20
2.2.1.2
Source Quench (Type 4) ............................................................................ 20
2.2.1.3
Redirect (Type 5) ....................................................................................... 21
2.2.1.4
Time Exceeded (Type 11) .......................................................................... 23
2.2.2
ICMP Query Messages ..................................................................................... 25
2.2.2.1 Echo Request (Type 8) and Echo Reply (Type 0)...................................... 27
2.2.2.2
Timestamp Request (Type 13) and Timestamp Reply (Type 14) .............. 28
2.2.2.3
Information Request (Type 15) and Reply (Type 16) ................................. 29
2.2.2.4
I CMP Address Mask Request (Type 17) and Reply (Type 18) .................. 30
Special Cases - The Path MTU Discovery Process................................................. 32
2.3.1
The PATH MTU Discovery Process .................................................................. 33
2.3.2
Host specification .............................................................................................. 33
The TCP MSS (Maximum Segment Size) Option and PATH MTU Discovery
Process ....................................................................................................................... 35
HOST DETECTION USING THE ICMP PROTOCOL.............................................. 36
3.1 ICMP Echo (Type 8) and Echo Reply (Type 0) .................................................... 36
ICMP Sweep (Ping Sweep)...................................................................................... 37
Broadcast ICMP ....................................................................................................... 39
3
Copyright © Ofir Arkin 2000-2001
http://www.sys-security.com
1.1
1.3
1.4
2.0
2.1
2.2
2.2.1.5
Parameter Problem (Type 12).................................................................... 24
2.3
2.3.3
Router Specification .......................................................................................... 34
2.3.4
3.0
3.2
3.3
ICMP Usage in Scanning – The Complete Know How
Version 3.0
Non-ECHO ICMP ..................................................................................................... 41
3.4.1
3.4.2
ICMP Time Stamp Request (Type 13) and Reply (Type 14) ............................ 42
3.4.3
ICMP Address Mask Request (Type 17) and Reply (Type 18) ......................... 46
Non-ECHO ICMP Sweeps ....................................................................................... 49
Non-ECHO ICMP Broadcasts .................................................................................. 50
Host Detection Using ICMP Error Messages ........................................................... 52
ADVANCED HOST DETECTION USING THE ICMP PROTOCOL......................... 54
Triggering ICMP Parameter Problem error messages............................................. 54
4.1.1 ACL Detection ................................................................................................... 57
4.1.1.1
4.1.1.2
ACL Detection - An example with ICMP as the underlying Protocol ......... 58
IP Datagrams with not used field values .................................................................. 59
4.2.1
The Protocol Field example .............................................................................. 59
4.2.1.1 Using non-Used IP protocol values ........................................................ 59
4.2.1.1.1
`
4.2.1.2
Protocol Scan` .......................................................................................... 60
Abusing IP fragmentation......................................................................................... 63
4.3.1 ACL Detection ................................................................................................... 64
Using UDP Scans (or why we wait for the ICMP Port Unreachable) ....................... 66
4.4.1
A Better Host Detection Using UDP Scan......................................................... 66
Using Packets bigger than the PMTU of internal routers to elicit an ICMP
Fragmentation Needed and Don’t Fragment Bit was Set (configuration problem).......... 68
INVERSE
MAPPING................................................................................................ 69
Inverse Mapping Using ICMP Query Request(s), and ICMP Query Reply(s).......... 69
Inverse Mapping Using Other Protocols .................................................................. 71
Patterns we might see.............................................................................................. 71
USING TRACEROUTE TO MAP A NETWORK TOPOLOGY ................................. 74
When A Firewall Protects a Network........................................................................ 75
THE USAGE OF ICMP IN ACTIVE OPERATING SYSTEM FINGERPRINTING
PROCESS....................................................................................................................... 78
Using Regular ICMP Query Messages .................................................................... 78
4
Copyright © Ofir Arkin 2000-2001
http://www.sys-security.com
3.4
ICMP Information Request (Type 15) and Reply (Type 16) .............................. 43
3.5
3.6
3.7
4.0
4.1
ACL Detection – An example with TCP/UDP as the underlying protocol. 58
4.2
Detecting if a Filtering Device is present ............................................. 60
4.3
4.4
4.5
5.0
5.1
5.2
5.3
6.0
6.1
7.0
7.1
ICMP Usage in Scanning – The Complete Know How
Version 3.0
Identifying Operating Systems according to their replies for non-ECHO
ICMP query requests aimed at the broadcast address ............................................... 79
Identifying Kernel 2.4.x Linux based machines using the IP ID field with
ICMP datagrams ......................................................................................................... 81
7.1.3
Fun with IP Identification Field Values .............................................................. 83
7.1.4
HP-UX 10.30 / 11.x & AIX 4.3.x Path MTU Discovery Proccess Using
ICMP Echo Requests .............................................................................................. 86
7.1.4.2
The DF Bit Playground...................................................................................... 85
7.1.4.1
Detection Avoidance .................................................................................. 92
7.1.4.2.1 HPUX .................................................................................................. 92
7.2.4.2.2
Sun Solaris .......................................................................................... 92
7.1.5
The IP Time-to-Live Field Value with ICMP ...................................................... 93
7.1.5.1
7.2.4.2.3
Linux Kernel 2.4.x................................................................................ 93
IP TTL Field Value with ICMP Query Replies ............................................ 94
7.1.5.2
IP TTL Field Value with ICMP ECHO Requests......................................... 97
7.1.5.3
Correlating the Information......................................................................... 99
7.1.6
Using Fragmented ICMP Address Mask Requests............................................... 99
Using Crafted ICMP Query Messages ................................................................... 102
Playing with the TOS Field............................................................................................ 102
7.2.1 Precedence Bits Echoing ................................................................................ 104
7.2.1.1 Changed Pattern with other ICMP Query Message Types ...................... 111
7.2.2
TOSing OSs out of the Window / “TOS Echoing” ........................................... 113
7.2.2.1
7.2.2.2
The use of the Type-of-Service field with the ICMP Protocol................... 113
Using the TOS Byte’s Unused Bit ................................................................... 119
7.2.3.1 Changed Pattern with Replies for Different ICMP Query Types .............. 121
7.2.4
Using the Unused............................................................................................ 122
7.2.5
DF Bit Echoing ................................................................................................ 124
7.2.5.1 DF Bit Echoing with the ICMP Echo request............................................ 125
7.2.5.2
DF Bit Echoing with the ICMP Address Mask request ............................. 126
7.2.5.3
DF Bit Echoing with the ICMP Timestamp request .................................. 126
7.2.5.4
Why this will work (for the skeptical) ........................................................ 126
7.2.6
Using Code field values different than zero within ICMP ECHO requests ...... 129
Using Code field values different than zero within ICMP Timestamp
Request..................................................................................................................... 131
7.2.7.1
Operating Systems the Zero out the Code field value on Reply .............. 131
7.2.7.3 Changed Patterns .................................................................................... 132
7.2.7.2
The non-answering Operating Systems ................................................... 131
Using ICMP Error Messages.................................................................................. 133
7.3.1 Operating system, which do not generate ICMP Protocol Unreachable Error
Messages.................................................................................................................. 133
7.3.2
ICMP Error Message Quenching .................................................................... 133
5
Copyright © Ofir Arkin 2000-2001
http://www.sys-security.com
7.1.1 The “Who answer what?” approach .................................................................. 78
7.1.1.1
Examining the IP ID field value(s) ................................................................................... 80
7.1.2
7.2
Changed Pattern with Other ICMP Message Types ................................ 117
7.2.3
7.2.5.5
Combining all together ............................................................................. 128
7.2.7
7.3
Plik z chomika:
musli_com
Inne pliki z tego folderu:
IPv4 Multicast.pdf
(45 KB)
07b-Archi-TCP-IP.pdf
(619 KB)
09a-ARP-RARP.pdf
(168 KB)
1-NetFlow Detections 2004.pdf
(61 KB)
100 Wireshark Tips.pdf
(127 KB)
Inne foldery tego chomika:
CloudStack
distribution
dsp
electronics
LPI
Zgłoś jeśli
naruszono regulamin