PING

Previous page
Table of content
Next page

One of the most basic network diagnostic tools, Ping simply sends out Internet Control Message Protocol (ICMP) echo requests and waits for replies. Ping is used to test network connectivity, but it can also be used in a few other ways, as you'll see.

Implementation

First, let's talk about some of Ping's more important command-line options. Many different Ping implementations are available, but most of the Unix-based Ping utilities share similar options. The main differences lie between Unix and Windows Ping utilities, as shown in Table 14-2.

By default, Ping behaves differently in Windows than it does in Unix. Most Unix Pings will continue Pinging until you press CTRL-C. Windows Pings, on the other hand, by default send out four ICMP echo requests. You have to try ping t if you want Windows to Ping forever until you kill it by pressing CTRL-BREAK or CTRL-C. Here's a typical Ping run from a Linux box:

Table 14-2: Ping Command Comparison

Option

Explanation

-c <count> (Unix)
-n <count> (Windows)

Number of echo requests to send.

-f (Unix)

Flood Ping, which sends out as many Pings as fast as it can. Prints a dot ( . ) for each request it sends out and a backspace ( ˆ˜H ) for every reply it receives. Provides a visual method of seeing how many packets you're dropping. Also a good way to eat up bandwidth! Only the super user can use this option.

-f (Windows)

Sets the Don't Fragment flag in the IP header of the echo request.

-i < wait > (Unix)

Waits for this number of seconds between Pings (default is 1).

-m < TTL > (Unix)
-i < TTL > (Windows)

Specifies the TTL value, which indicates how many hops (or intermediate route points) it should travel before giving up.

-v < TOS > (Windows)

Specifies the Type of Service (TOS) value. The TOS flags tell IP stacks how they should handle certain packets. TOS is specified as a 4-bit number where 1 = minimize monetary cost, 2 = maximize reliability, 4 = maximize throughput, and 8 = minimize delay.

-n (Unix) -a (Windows)

The n option in Unix tells Ping not to look up names for IP addresses (i.e., numeric output only). The a option in Windows tells Ping that it should look up names for IP addresses. Unix Ping and Windows Ping utilities handle name resolution differently by default.

-p < pattern > (Unix)

Lets you pad the header of the ICMP packet you're sending with a specific data pattern to see if you get that same data pattern back in return.

-q (Unix)

Doesn't display the actual Pingsonly the summary of Pings at program termination.

-R (Unix)
-r < count > (Windows)

Specifies the "record route" option in the ICMP packet (for count number of hops in Windows). If routers pay attention to this option, they'll record the route the packet takes in the IP options and it will be displayed by Ping when it receives the response packet. Just as most routers ignore source routing options, they ignore this option as well.

-j < hostlist > (Windows)

Uses loose source routing to force the packet to pass through the specified hosts .

-k < hostlist > (Windows)

Uses strict source routing to force the packet to pass through the exact route specified in the host list.

-s < size > (Unix) -l < size > (Windows)

Lets you specify the size of the ICMP packet. An ICMP header is 8 bytes long, so your actual packet will be size + 8 bytes. 56 bytes is the default size for Unix, 24 for Windows. This translates to 64 and 32 bytes, respectively, when you figure in the 8-byte ICMP header.

-w < wait > (Unix)
-w < timeout > (Windows)

Stops Pinging the host after wait seconds. Waits timeout milliseconds before giving up on a Ping request.

-t (Windows)

Pings the target host until the command is terminated . 

 [Paris:~] mike% ping 10.0.1.1 PING 10.0.1.1 (10.0.1.1): 56 data bytes 64 bytes from 10.0.1.1: icmp_seq=0 ttl=64 time=0.472 ms 64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=0.458 ms 64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=0.463 ms 64 bytes from 10.0.1.1: icmp_seq=3 ttl=64 time=0.451 ms 64 bytes from 10.0.1.1: icmp_seq=4 ttl=64 time=0.459 ms 64 bytes from 10.0.1.1: icmp_seq=5 ttl=64 time=0.463 ms --- 10.0.1.1 ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.451/0.461/0.472/0.006 ms

The Windows ping command sends out four requests and stops unless you specify additional options. 

 C:\>ping 10.0.1.1 Pinging 10.0.1.1 with 32 bytes of data: Reply from 10.0.1.1: bytes=32 time<1ms TTL=64 Reply from 10.0.1.1: bytes=32 time<1ms TTL=64 Reply from 10.0.1.1: bytes=32 time<1ms TTL=64 Reply from 10.0.1.1: bytes=32 time<1ms TTL=64 Ping statistics for 10.0.1.1:     Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:     Minimum = 0ms, Maximum = 0ms, Average = 0ms
Tip 

Cygwin (Chapter 3) provides a Ping package that more closely resembles the Unix version's behavior and options.

Case Study: How Hackers Can Abuse Ping

Abusing Ping I: Ping of Death No doubt you've heard of this technique. A Ping of Death is when you send a Ping packet that is larger than 65,536 bytes. Even though IP won't support datagrams larger than this size, fragmentation can allow someone to send a Ping larger than 65,536 bytes, and when it's reassembled on the receiving side, it can crash the receiving machine. It's not really a bug in Ping, per se, but rather a problem with the way IP deals with reassembling fragmented packets.

A lot of Ping utilities won't let you send packets this large, but Windows 95 and versions of NT will. Some operating systems will recognize a Ping of Death and simply ignore it (they won't process it). For other systems, the only protection against this is using port filters or firewalls on external gateways that block incoming ICMP altogether or at least ICMP packets of a certain size.

Abusing Ping II: Smurfing A neat trick you can do on your own LAN is to try to Ping your broadcast address. For example, if your IP address is 192.168.1.100 and your netmask is 255.255.255.0, you're on a 192.168.1.0 network with a broadcast address of 192.168.1.255. If you attempt to Ping 192.168.1.255 (on some systems you have to use a b flag and have root privileges), you might get ICMP echo replies from every host on your LAN. This is useful in quickly determining what other hosts are working around you.

Problem is, this can be used to do some very bad thingssmurfing, in particular. This popular Denial-of-Service (DoS) attack surfaced when people started realizing how much network traffic could be generated by Pinging a network's broadcast address. Large class B networks (with more than 65,000 hosts) would all respond with ICMP echo replies back to the Pinging host. Now, obviously, you wouldn't want to do this to yourself; the flood of echo replies would kill your system. But what if you spoofed the IP address of the Pinging host? It's easy enough to do (see Chapter 1), and since you don't care about receiving any response from your Pings (heck, you don't want to receive a response!), you can direct all those echo replies at some other poor sap and crash his system.

What's the only defense? Systems shouldn't answer to broadcast Pings. Firewalls and routers can be configured not only to keep your machine from being the victim of a smurf but from participating in a smurf as well.

 

Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Software Configuration Management
The CISSP and CAP Prep Guide: Platinum Edition
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy