4.1 ICMP Probing


The Internet Control Message Protocol (ICMP) identifies potentially weak and poorly protected networks. ICMP is a short messaging protocol that's used by systems administrators and end users for continuity testing of networks (e.g., using the ping or traceroute commands). From a network scanning and probing perspective, the following types of ICMP messages are useful:


Type 8 (echo request)

Echo request messages are also known as ping packets. You can use a scanning tool such as nmap to perform ping sweeping and easily identify hosts that are accessible.


Type 13 (timestamp request)

A timestamp request message requests system time information from the target host. The response is in a decimal format and is the number of milliseconds elapsed since midnight GMT.


Type 15 (information request)

The ICMP information request message was intended to support self-configuring systems such as diskless workstations at boot time, to allow them to discover their network address. Protocols such as RARP, BOOTP, or DHCP do so more robustly, so type 15 messages are rarely used.


Type 17 (subnet address mask request)

An address mask request message reveals the subnet mask used by the target host. This information is useful when mapping networks and identifying the size of subnets and network spaces used by organizations.

Firewalls of security-conscious organizations often blanket-filter inbound ICMP messages and so ICMP probing isn't effective; however, ICMP isn't filtered in most networks because ICMP messages are often useful for network troubleshooting purposes.

There are a handful of other ICMP message types that have relevant security applications (such as ICMP type 5 redirect messages sent by routers), but they aren't related to network scanning.

Table 4-1 outlines popular operating systems and their responses to certain types of direct ICMP query messages.

Table 4-1. Operating system responses to direct ICMP query messages

Operating system

Direct ICMP message types (non-broadcast)

 

8

13

15

17

Linux

Yes

Yes

No

No

*BSD

Yes

Yes

No

No

Solaris

Yes

Yes

No

Yes

HP-UX

Yes

Yes

Yes

No

AIX

Yes

Yes

Yes

No

Ultrix

Yes

Yes

Yes

Yes

Windows 95, 98, and ME

Yes

Yes

No

Yes

Windows NT 4.0

Yes

No

No

No

Windows 2000

Yes

Yes

No

No

Cisco IOS

Yes

Yes

Yes

No

Indirect ICMP query messages can be sent to the broadcast address of a given subnet (such as 192.168.0.255 in a 192.168.0.0/24 network). Operating systems respond in different ways to indirect queries issued to a broadcast address, as shown in Table 4-2.

Table 4-2. Operating system responses to broadcast ICMP query messages

Operating system

Indirect ICMP message types (broadcast)

 

8

13

15

17

Linux

Yes

Yes

No

No

*BSD

No

No

No

No

Solaris

Yes

Yes

No

No

HP-UX

Yes

Yes

Yes

No

AIX

No

No

No

No

Ultrix

No

No

No

No

Windows 95, 98, and ME

No

No

No

No

Windows NT 4.0

No

No

No

No

Windows 2000

No

No

No

No

Cisco IOS

No

No

Yes

No

Ofir Arkin of the Sys-Security Group (http://www.sys-security.com) has undertaken a lot of research into ICMP over recent years, publishing white papers dedicated entirely to the use of ICMP probes for OS fingerprinting. For quality in-depth details of ICMP probing techniques, please consult his research available from his web site.

4.1.1 SING

Send ICMP Nasty Garbage (SING) is a command-line tool that sends fully customizable ICMP packets. The main purpose of the tool is to replace the ping command with certain enhancements, including the ability to transmit and receive spoofed packets, send MAC-spoofed packets, and support the transmission of many other message types, including ICMP address mask, timestamp, and information requests, router solicitation, and router advertisement messages.

SING is available from http://sourceforge.net/projects/sing/.[1] Examples using the sing utility to launch ICMP echo, timestamp, and address mask requests follow. In these examples, I direct probes at broadcast addresses and individual hosts.

[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

Using sing to send broadcast ICMP echo request messages:

# sing -echo 192.168.0.255 SINGing to 192.168.0.255 (192.168.0.255): 16 data bytes 16 bytes from 192.168.0.1: seq=0 ttl=64 TOS=0 time=0.230 ms 16 bytes from 192.168.0.155: seq=0 ttl=64 TOS=0 time=2.267 ms 16 bytes from 192.168.0.126: seq=0 ttl=64 TOS=0 time=2.491 ms 16 bytes from 192.168.0.50: seq=0 ttl=64 TOS=0 time=2.202 ms 16 bytes from 192.168.0.89: seq=0 ttl=64 TOS=0 time=1.572 ms

Using sing to send ICMP timestamp request messages:

# sing -tstamp 192.168.0.50 SINGing to 192.168.0.50 (192.168.0.50): 20 data bytes 20 bytes from 192.168.0.50: seq=0 ttl=128 TOS=0 diff=327372878 20 bytes from 192.168.0.50: seq=1 ttl=128 TOS=0 diff=1938181226* 20 bytes from 192.168.0.50: seq=2 ttl=128 TOS=0 diff=1552566402* 20 bytes from 192.168.0.50: seq=3 ttl=128 TOS=0 diff=1183728794*

Using sing to send ICMP address mask request messages:

# sing -mask 192.168.0.25 SINGing to 192.168.0.25 (192.168.0.25): 12 data bytes 12 bytes from 192.168.0.25: seq=0 ttl=236 mask=255.255.255.0 12 bytes from 192.168.0.25: seq=1 ttl=236 mask=255.255.255.0 12 bytes from 192.168.0.25: seq=2 ttl=236 mask=255.255.255.0 12 bytes from 192.168.0.25: seq=3 ttl=236 mask=255.255.255.0

4.1.2 nmap

nmap can perform ICMP ping-sweep scans of target address spaces easily and relatively quickly. Many hardened networks will blanket-filter inbound ICMP messages at border routers or firewalls, so sweeping in this fashion isn't effective in some cases. Example 4-1 demonstrates how nmap can be run from a Unix-based or Win32 command prompt to perform an ICMP ping sweep against 192.168.0.0/24. nmap is available from http://www.insecure.org/nmap/.

Example 4-1. Performing a ping sweep with nmap
# nmap -sP -PI 192.168.0.0/24 Starting nmap 3.45 ( www.insecure.org/nmap/ ) Host   (192.168.0.0) seems to be a subnet broadcast address (2 extra pings). Host  (192.168.0.1) appears to be up. Host  (192.168.0.25) appears to be up. Host  (192.168.0.32) appears to be up. Host  (192.168.0.50) appears to be up. Host  (192.168.0.65) appears to be up. Host  (192.168.0.102) appears to be up. Host  (192.168.0.110) appears to be up. Host  (192.168.0.155) appears to be up. Host   (192.168.0.255) seems to be a subnet broadcast address (2 extra pings). Nmap run completed -- 256 IP addresses (8 hosts up)

Using the -sP ping sweep flag within nmap doesn't just perform an ICMP echo request to each IP address; it also sends TCP ACK and SYN probe packets to port 80 of each host. In Example 4-1, nmap is run with the -PI flag, to specify that we're sending only ICMP echo requests. Overall, using the standard -sP flag is often more effective because it identifies web servers that may not respond to ICMP probes; however, in some environments it is beneficial to use more specific probe types.


4.1.3 Gleaning Internal IP Addresses

In some cases, it is possible to gather internal IP address information by analyzing all ICMP responses with a stateful inspection system such as a personal firewall on your workstation or a Linux machine on the edge of your network performing stateful inspection of all IP traffic.

After sending an ICMP echo request to a publicly accessible IP address, the target firewall often uses network address translation to forward the packet to the correct internal IP address (within a DMZ or internal network space). If the firewall is configured to permit ICMP echo request messages to go through and fully forwards ICMP echo request messages (as opposed to rewriting the headers as proxies do), sometimes unsolicited ICMP echo reply messages appear from private IP addresses.

Tools such as nmap and sing don't identify these responses from private addresses, because doing so requires low-level stateful analysis of the traffic flowing into and out of a network, such as performed by a firewall. A quick and simple example of this behavior is to watch the ISS BlackICE event log in Figure 4-1 as a simple ICMP ping sweep is undertaken using SuperScan or a similar tool.

Figure 4-1. ISS BlackICE statefully gleans internal IP addresses
figs/nsa_0401.gif

Figure 4-1 shows that ISS BlackICE has identified four unsolicited ICMP echo replies from private addresses (within the 172.16.0.0/16 space in this case, but they are often within 192.168.0.0/16 or 10.0.0.0/8). By carefully monitoring such a stateful inspection mechanism when performing any kind of probing or network scanning, you can gain useful insight into areas of target network configuration.

A Linux system running tcpdump or ethereal can be used to great effect on our penetration testing launch network simply by picking up ICMP echo reply messages and filtering out public and nonpublic addresses using simple awk scripts.

4.1.4 Identifying Subnet Broadcast Addresses

Subnet broadcast addresses can be easily extracted using functionality within nmap that monitors the number of ICMP echo replies when a ping sweep is initiated. Such broadcast addresses will respond with multiple replies if they aren't filtered, which lets you see how to segment the target network space. Example 4-2 shows nmap mapping out the broadcast addresses in use for a pool of ADSL routers and systems.

Example 4-2. Identifying subnet broadcast addresses with nmap
# nmap -sP 62.2.15.0/24 Starting nmap 3.45 ( www.insecure.org/nmap/ ) Host 62.2.15.8 seems to be a subnet broadcast address (returned 1 extra pings). Host pipex-gw.abcconsulting.co.uk (62.2.15.9) appears to be up. Host mail.abc.co.uk (62.2.15.10) appears to be up. Host www-dev.abc.co.uk (62.2.15.13) appears to be up. Host 62.2.15.15 seems to be a subnet broadcast address (returned 1 extra pings). Host 62.2.15.16 seems to be a subnet broadcast address (returned 1 extra pings). Host pipex-gw.smallco.net (62.2.15.17) appears to be up. Host mail.smallco.net (62.2.15.18) appears to be up. Host 62.2.15.19 seems to be a subnet broadcast address (returned 1 extra pings). Host 62.2.15.20 seems to be a subnet broadcast address (returned 1 extra pings). Host pipex-gw.example.org (62.2.15.21) appears to be up. Host mail.example.org (62.2.15.22) appears to be up. Host www.example.org (62.2.15.25) appears to be up. Host ext-26.example.org (62.2.15.26) appears to be up. Host ext-27.example.org (62.2.15.27) appears to be up. Host staging.example.org (62.2.15.28) appears to be up. Host 62.2.15.35 seems to be a subnet broadcast address (returned 1 extra pings).

This scan has identified three separate subnets within the 62.2.15.0 network:

  • The abc.co.uk subnet from 62.2.15.8 to 62.2.15.15 (8 addresses)

  • The smallco.net subnet from 62.2.15.16 to 62.2.15.19 (4 addresses)

  • The example.org subnet from 62.2.15.20 to 62.2.15.35 (16 addresses)



Network Security Assessment
Network Security Assessment: Know Your Network
ISBN: 059600611X
EAN: 2147483647
Year: 2006
Pages: 166
Authors: Chris McNab

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net