ICMP_Scanning_v2.5.pdf
(
944 KB
)
Pobierz
ICMP Usage in Scanning
Version 2.5
ICMP Usage in Scanning
Or
Understanding some of the ICMP Protocol’s Hazards
Ofir Arkin
Founder
The Sys-Security Group
http://www.sys-security.com
ofir@sys-security.com
Version 2.5
December 2000
1
Copyright
Ofir Arkin, 2000-2001
http://www.sys-security.com
ICMP Usage in Scanning
Version 2.5
Table of Contents
Introduction..................................................................................................................... 7
1.1 Introduction to Version 1.0 .................................................................................... 7
1.2 Introduction to Version 2.0 .................................................................................... 7
1.3 Introduction to Version 2.5 .................................................................................... 8
1.4 CHANGES............................................................................................................ 8
1.4.1 Version 1.0 to Version 2.0.............................................................................. 8
1.4.2 Version 2.0 to Version 2.01 ............................................................................ 9
1.4.3 Version 2.01 to Version 2.5 ............................................................................ 9
2.1 ICMP ECHO (Type 8) and ECHO Reply (Type 0) ............................................... 10
2.2 ICMP Sweep (Ping Sweep)................................................................................. 11
2.3 Broadcast ICMP.................................................................................................. 12
2.4 Non-ECHO ICMP................................................................................................ 14
2.4.1 ICMP Time Stamp Request (Type 13) and Reply (Type 14)......................... 15
2.4.2 ICMP Information Request (Type 15) and Reply (Type 16) .......................... 16
2.4.3 ICMP Address Mask Request (Type 17) and Reply (Type 18) ..................... 19
2.5 Non-ECHO ICMP Sweeps .................................................................................. 22
2.6 Non-ECHO ICMP Broadcasts ............................................................................. 23
3.0 Advanced Host Detection using the ICMP Protocol (using ICMP Error Messages
generated from the probed machines) .................................................................... 25
3.1 Sending IP Datagrams with bad IP headers fields – generating ICMP Parameter
Problem error message back from probed machines ......................................... 25
3.1.1 ACL Detection using IP Datagrams with bad IP headers fields .................... 27
3.2 IP Datagrams with non-valid field values............................................................. 29
3.2.1 The Protocol Field example.......................................................................... 29
3.2.1.2 Using all combination of the IP protocol filed values.................................. 29
3.2.2 ACL Detection using the Protocol field ......................................................... 30
3.3 Host Detection using IP fragmentation to elicit Fragment Reassembly Time
Exceeded ICMP error message. ......................................................................... 31
3.3.1 ACL Detection using IP fragmentation ......................................................... 32
3.4 Host Detection using UDP Scans, or why we wait for the ICMP Port Unreachable
................................................................................................................................. 33
3.4.1 A Better Host Detection Using UDP Scan .................................................... 34
3.5 Using Packets bigger than the PMTU of internal routers to elicit an ICMP
Fragmentation Needed and Don’t Fragment Bit was Set (configuration problem)
................................................................................................................................. 35
4.0 Inverse Mapping ..................................................................................................... 36
4.1 Inverse Mapping Using ICMP (Echo & Echo Reply)............................................ 36
4.2 Inverse Mapping Using Other Protocols.............................................................. 37
4.3 Patterns we might see ........................................................................................ 37
5.0 Using traceroute to Map a Network Topology ......................................................... 40
6.0 The usage of ICMP in Active Operating System Fingerprinting Process ................. 43
Using Regular ICMP Query Messages ......................................................................... 43
6.1.2 Using ICMP Information Requests ............................................................... 44
6.1.3 Identifying Operating Systems according to their replies for non-ECHO ICMP
requests aimed at the broadcast address.................................................... 44
6.2 The DF Bit Playground (Identifying Sun Solaris, HP-UX 10.30, 11.0x, and AIX
4.3.x based machines).............................................................................................. 45
2
Copyright
Ofir Arkin, 2000-2001
http://www.sys-security.com
ICMP Usage in Scanning
Version 2.5
6.2.1 Avoidance .................................................................................................... 52
6.3 The IP Time-to-Live Field Value with ICMP......................................................... 53
6.3.1 IP TTL Field Value with ICMP Query Replies ............................................... 53
6.3.2 IP TTL Field Value with ICMP ECHO Requests ........................................... 55
6.3.3 Correlating the Information........................................................................... 56
6.4 Using Fragmented ICMP Address Mask Requests (Identifying Sun Solaris & HP-
UX 11.0x machines)............................................................................................ 57
Using Crafted ICMP Query Messages .......................................................................... 59
Playing with the TOS Field........................................................................................ 59
6.5 Precedence Bits Echoing (Fingerprinting Microsoft Windows 2000, ULTRIX,
HPUX 11.0&10.30, OpenVMS and more) .......................................................... 61
6.5.1 Changed Pattern with other ICMP Query Message Types ........................... 67
6.6 TOSing OSs out of the Window / “TOS Echoing” (Fingerprinting Microsoft
Windows 2000) .................................................................................................. 69
6.6.1 The use of the Type-of-Service field with the Internet Control Message
Protocol ............................................................................................................. 69
6.7 Using the TOS Byte’s Unused Bit (Fingerprinting Microsoft Windows 2000,
ULTRIX and more)............................................................................................. 75
6.7.1 Changed Pattern with Replies for Different ICMP Query Types ................... 77
6.8 Using the Unused (Identifying Sun Solaris & HP-UX 10.30 & 11.0x OS based
machines) .......................................................................................................... 78
6.9 DF Bit Echoing.................................................................................................... 80
6.9.1 DF Bit Echoing with the ICMP Echo request ................................................ 80
6.9.2 DF Bit Echoing with the ICMP Address Mask request .................................. 81
6.9.3 DF Bit Echoing with the ICMP Timestamp request ....................................... 81
6.9.4 Using all of the Information in order to identify maximum of operating systems
............................................................................................................................. 82
6.9.5 Why this would work (for the skeptical) ........................................................ 82
6.9.6 Combining all together ................................................................................. 83
6.10 Using Code field values different than zero within ICMP ECHO requests ......... 85
6.11 Using Code field values different than zero within ICMP Timestamp Request... 86
6.11.1 The non-answering Operating Systems ..................................................... 86
6.11.2 Operating Systems the Zero out the Code field value on Reply ................. 87
Using the ICMP Error Messages .................................................................................. 89
6.12 Operating system, which do not generate ICMP Protocol Unreachable Error
Messages ......................................................................................................... 89
6.13 ICMP Error Message Quenching ...................................................................... 90
6.14 ICMP Error Message Quoting Size ................................................................... 90
6.15 LINUX ICMP Error Message Quoting Size Differences / The 20 Bytes from No
Where .............................................................................................................. 92
6.16 Foundry Networks Networking Devices Padded Bytes with ICMP Port
Unreachable(s) / The 12 Bytes from No Where................................................ 94
6.17 ICMP Error Message Echoing Integrity (Tested with ICMP Port Unreachable).. 95
6.18 Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time
Exceeded....................................................................................................... 100
6.19 The Precedence bits with ICMP Error Messages (Identifying LINUX) ............. 101
6.20 TOS Bits (=field) Echoing with ICMP Error...................................................... 104
6.21 DF Bit Echoing with ICMP Error Messages..................................................... 105
Not that useful fingerprinting method(s) ...................................................................... 112
6.22 Unusual Big ICMP Echo Request ................................................................... 112
7.0 Filtering ICMP on your Filtering Device to Prevent Scanning Using ICMP ............ 114
3
Copyright
Ofir Arkin, 2000-2001
http://www.sys-security.com
ICMP Usage in Scanning
Version 2.5
7.1 Inbound............................................................................................................. 114
7.2 Outbound.......................................................................................................... 114
7.3 Other Considerations ........................................................................................ 116
7.4 Other Problems – Why it is important to filter ICMP traffic in the Internal
segmentation ................................................................................................... 117
7.5 The Firewall .......................................................................................................... 118
8.0 Conclusion............................................................................................................ 120
9.0 Acknowledgment .................................................................................................. 121
9.1 Acknowledgment for version 1.0 ....................................................................... 121
9.1 Acknowledgment for version 2.0 ....................................................................... 121
9.2 Acknowledgment for version 2.5 ....................................................................... 121
Appendix A: The ICMP Protocol ................................................................................. 122
A.1 ICMP Messages ............................................................................................... 123
A.1 ICMP Error Messages ...................................................................................... 125
A.1.1 ICMP Error Messages ............................................................................... 126
A.1.1.1 Destination Unreachable (Type 3) .......................................................... 126
A.1.1.2 Source Quench (Type 4)......................................................................... 128
A.1.1.3 Redirect (Type 5) .................................................................................... 129
A.1.1.4 Time Exceeded (Type 11)....................................................................... 130
A.1.1.5 Parameter Problem (Type 12)................................................................. 130
Appendix B: ICMP “Fragmentation Needed but the Don’t Fragment Bit was set” and the
Path MTU Discovery Process ............................................................... 132
B.1 The PATH MTU Discovery Process.................................................................. 132
B.2 Host specification ............................................................................................. 132
B.3 Router Specification ......................................................................................... 133
B.4 The TCP MSS (Maximum Segment Size) Option and PATH MTU Discovery
Process............................................................................................................ 134
Appendix C: Mapping Operating Systems for answering/discarding ICMP query
message types....................................................................................... 135
Appendix D: ICMP Query Message Types with Code field !=0 ................................... 137
Appendix E: ICMP Query Message Types aimed at a Broadcast Address.................. 139
Appendix F: Precedence Bits Echoing with ICMP Query Request & Reply................. 141
Appendix G: ICMP Query Message Types with TOS! = 0 ........................................... 142
Appendix H: Echoing the TOS Byte Unused bit .......................................................... 143
Appendix I: Using the Unused Bit ............................................................................... 144
Appendix J: DF Bit Echoing ........................................................................................ 145
Appendix K: ICMP Error Message Echoing Integrity with ICMP Port Unreachable Error
Message ................................................................................................. 146
Appendix L: Snort Basic Rule Base for ICMP Traffic .................................................. 148
4
Copyright
Ofir Arkin, 2000-2001
http://www.sys-security.com
ICMP Usage in Scanning
Version 2.5
Figures List
Figure 1: ICMP ECHO Mechanism
10
Figure 2: ICMP ECHO Request & Reply message format
11
Figure 3: Broadcast ICMP
13
Figure 4: ICMP Time Stamp Request & Reply message format
15
Figure 5: ICMP Information Request and Reply
17
Figure 6: ICMP Address Mask Request & Reply message format
19
Figure 7: The IP Header
25
Figure 8: An Example: A TCP packet fragmented after only 8 bytes of TCP information
33
Figure 9: Using Packets bigger than the PMTU of internal routers to elicit an ICMP Fragmentation
Needed and Don’t Fragment Bit was Set 35
Figure 10: ICMP Time Exceeded message format 40
Figure 11: The Type of Service Byte 59
Figure 12: ICMP ECHO Request & Reply message format 86
Figure 13: The Type of Service Byte 101
Figure 14: Firewall ICMP Filtering Rules 117
Figure 15: Internal segmentation ICMP Filtering Example 118
Figure 16: ICMP Message Format 123
Figure 17: ICMP Error Message General Format 126
Figure 18: ICMP Fragmentation Needed but the Don’t Fragment Bit was set Message Format 128
Figure 19: ICMP Redirect Message Format
129
Figure 20: ICMP Parameter Problem Message Format
131
Figure 21: ICMP Fragmentation Required with Link MTU
133
Table List
Table 1: Which Operating System would answer to an ICMP ECHO Request aimed at the
Broadcast Address of the Network they reside on? 14
Table 2: Non-ECHO ICMP Query of different Operating Systems and Networking Devices 22
Table 3: Operating Systems, which would answer to requests, aimed at the Broadcast address 24
Table 4: Networking Devices, which would answer to requests, aimed at the Broadcast address 24
Table 5: IP TTL Field Values in replies from Various Operating Systems
53
Table 6: IP TTL Field Values in requests from Various Operating Systems
55
Table 7: Further dividing the groups of operating systems according to IP TTL field value in the
ICMP ECHO Requests and in the ICMP ECHO Replies
56
Table 8: Precedence Field Values
60
Table 9: Type-of-Service Field Values
60
Table 10: ICMP Query Message Types with Precedence Bits ! = 0
68
Table 11: ICMP Query Message Types with TOS! = 0
75
Table 12: ICMP Query Message Types with the TOS Byte Unused Bit value ! = 0
78
Table 13: DF Bit Echoing
83
Table 14: ICMP Error Message Echoing Integrity
98
Table 15: Precedence Field Values
102
Table 16: ICMP message types
122
Table 17: ICMP Types & Codes
124
Table 18: Destination Unreachable Codes (Router)
127
Table 19: Redirect Codes
129
Table 20: Parameter Problem Codes
131
Diagram List
Diagram 1: The Inverse Mapping Idea
37
Diagram 2: A Decoy Scan Example
39
Diagram 3: Finger Printing Using ICMP Information Request Combines with ICMP
Address Mask Request
44
5
Copyright
Ofir Arkin, 2000-2001
http://www.sys-security.com
Plik z chomika:
housefever
Inne pliki z tego folderu:
AsemblerPodrecznikUzytkownika.pdf
(4099 KB)
zaciskanie.gif
(38 KB)
wlan01_-_zlacza.pdf
(1088 KB)
wndw-ebook.pdf
(1972 KB)
tutor-vi-pl.txt
(27 KB)
Inne foldery tego chomika:
Cisco
dla_faceta
e-books
Zgłoś jeśli
naruszono regulamin