Advanced ICMP Techniques - ICMP Scanning 11.15

ICMP ScanningICMP Scanning

Johnny LongJohnny [email protected]@ihackstuff.com

http://johnny.ihackstuff.comhttp://johnny.ihackstuff.com

What’s this Presentation About?What’s this Presentation About?

This presentation is a technical summation This presentation is a technical summation based on a document entitled “ICMP based on a document entitled “ICMP Usage in Scanning: The Complete Know-Usage in Scanning: The Complete Know-how” by Ofir Arkin (how” by Ofir Arkin (http://sys-security.comhttp://sys-security.com))

The techniques described in this The techniques described in this document all surround the ICMP protocol document all surround the ICMP protocol and it’s varied uses in the realm of and it’s varied uses in the realm of offensive scanningoffensive scanning

Can’t we just read the book?Can’t we just read the book?

Sure! Go ahead!Sure! Go ahead!““Buh-buy. See ya later.” –Buh-buy. See ya later.” –ShrekShrek

““Have a samichHave a samich.” –Johnny.” –Johnny

Still with us? Good. Weighing in at over 200 Still with us? Good. Weighing in at over 200 pages, this document is pretty darn boring with pages, this document is pretty darn boring with lots of “fluff”... not a great read. lots of “fluff”... not a great read. Why bother? There’s some great info that Why bother? There’s some great info that applies to what we do. applies to what we do. This presentation is the strikeforce digest This presentation is the strikeforce digest version.version.

What is ICMP?What is ICMP?

ICMP is defined in RFC 792 and ICMP is defined in RFC 792 and functionally expanded in RFCs 1122, functionally expanded in RFCs 1122, 1812, 896, 950, 1191, 1256 and 1349 as 1812, 896, 950, 1191, 1256 and 1349 as the Internet Control Message Protocolthe Internet Control Message Protocol

This protocol handles error reporting and This protocol handles error reporting and messages for IP, and is transported via IP.messages for IP, and is transported via IP.

ICMP for dummies: “ping.”ICMP for dummies: “ping.”

ICMP for offensive what?ICMP for offensive what?

Our objective in using ICMP for scanning Our objective in using ICMP for scanning is to get our target(s) to generate ICMP is to get our target(s) to generate ICMP messages. messages. We then analyze these responses to We then analyze these responses to profile our targets or to simply see if our profile our targets or to simply see if our target is “there”target is “there”ICMP is an alternative to more ICMP is an alternative to more “mainstream” methods of scanning and “mainstream” methods of scanning and may prove useful when other methods may prove useful when other methods have failed. have failed.

When does it work?When does it work?

It works when you want to keep a fairly low It works when you want to keep a fairly low profile.profile.

It works when It works when outboundoutbound ICMP of ICMP of any typeany type is is allowed through a firewall or filtering routerallowed through a firewall or filtering router

It works when It works when anyany off-the-shelf operating off-the-shelf operating systems or firmware revisions are in usesystems or firmware revisions are in use

It works when you can get a trigger to the targetIt works when you can get a trigger to the target

It works when passively listening on the wireIt works when passively listening on the wire

ICMP “Triggers”ICMP “Triggers”

ICMP triggers generate ICMP responses ICMP triggers generate ICMP responses from a target. There are two ways to do from a target. There are two ways to do this:this:

1.1.Send an ICMP request to the targetSend an ICMP request to the target

2.2.Send a “bad” IP packet to the target. Send a “bad” IP packet to the target.

Triggering ICMP Triggering ICMP responses with ICMP responses with ICMP

requestsrequests

Rules of the ICMP RoadRules of the ICMP Road

Before blindly sending ICMP requests, it Before blindly sending ICMP requests, it helps to first understand some basic rules helps to first understand some basic rules of the ICMP road.of the ICMP road. ICMP messages of an unknown type ICMP messages of an unknown type MUSTMUST

BE silently discarded. BE silently discarded. (we can’t muck with types or we get no response!)(we can’t muck with types or we get no response!)

ICMP message ICMP message MUST MUST contain the first 8 contain the first 8 octets of the datagram that triggered the error octets of the datagram that triggered the error (we’ll always get back part of the offending packet.)(we’ll always get back part of the offending packet.)

Rules of the ICMP RoadRules of the ICMP Road

““ICMP MUST NOT be sent as a result of:”ICMP MUST NOT be sent as a result of:” ICMP messagesICMP messages

(this prevents infinite ICMP loops)(this prevents infinite ICMP loops) IP broadcast, multicasts or link broadcastsIP broadcast, multicasts or link broadcasts

(some rules were made to be broken)(some rules were made to be broken) Non-initial fragmentsNon-initial fragments

(are packets without heads really packets?)(are packets without heads really packets?) A datagram from a source of more than one hostA datagram from a source of more than one host

(source broadcasts- WTF?)(source broadcasts- WTF?) A datagram with a failed IP header checkA datagram with a failed IP header check

(are packets with funny lookin heads really (are packets with funny lookin heads really packets?)packets?)

Polite ICMPPolite ICMP

ICMP messages should be sent with a ICMP messages should be sent with a “0” in the TOS field.“0” in the TOS field.

More than 8 octets of the original More than 8 octets of the original datagram can be includeddatagram can be included

ICMP Requests and repliesICMP Requests and replies

00 Echo Reply [RFC792] 00 Echo Reply [RFC792] 08 Echo [RFC792] 08 Echo [RFC792] 09 Router Advertisement [RFC1256] 09 Router Advertisement [RFC1256] 10 Router Solicitation [RFC1256]10 Router Solicitation [RFC1256]13 Timestamp [RFC792] 13 Timestamp [RFC792] 14 Timestamp Reply [RFC792] 14 Timestamp Reply [RFC792] 15 Information Request [RFC792] 15 Information Request [RFC792] 16 Information Reply [RFC792] 16 Information Reply [RFC792] 17 Address Mask Request [RFC950] 17 Address Mask Request [RFC950] 18 Address Mask Reply [RFC950] 18 Address Mask Reply [RFC950]

(listed at (listed at http://http://www.iana.org/assignments/icmpwww.iana.org/assignments/icmp-parameters-parameters))

Echo Request/Reply: “PING”Echo Request/Reply: “PING”C:\Documents and Settings\j0hnny>ping 10.1.1.252C:\Documents and Settings\j0hnny>ping 10.1.1.252Pinging 10.1.1.252 with 32 bytes of data:Pinging 10.1.1.252 with 32 bytes of data:

Reply from 10.1.1.252: bytes=32 time=1ms TTL=255Reply from 10.1.1.252: bytes=32 time=1ms TTL=255

----------------------------------------------------------------------------------------------------

[root@localhost tcpdump-3.7.1]# tcpdump proto ICMP[root@localhost tcpdump-3.7.1]# tcpdump proto ICMPtcpdump: listening on eth0tcpdump: listening on eth011:17:44.408291 10.1.1.36 > 10.1.1.252: icmp: echo request11:17:44.408291 10.1.1.36 > 10.1.1.252: icmp: echo request11:17:44.408630 10.1.1.252 > 10.1.1.36: icmp: echo reply11:17:44.408630 10.1.1.252 > 10.1.1.36: icmp: echo reply

We are throwing out ICMP echo requests, and We are throwing out ICMP echo requests, and looking for ICMP echo replies in return. An echo looking for ICMP echo replies in return. An echo reply means the host is up.reply means the host is up.

Ping sweepPing sweep

nmap -sP -PI 10.1.1.1-10

This is ICMP echo/reply on a much larger scale.

ECHO BroadcastECHO Broadcast

Taking ICMP echo/reply to the next level, we can ping a Taking ICMP echo/reply to the next level, we can ping a network/broadcast address like .255 or .0network/broadcast address like .255 or .0This seems to work best against UNIX-like machines This seems to work best against UNIX-like machines only.only.According to Ofir Arkin, the following Operating Systems According to Ofir Arkin, the following Operating Systems reply to the ICMP Echo request aimed at network or reply to the ICMP Echo request aimed at network or broadcast:broadcast:

Linux kernel 2.4.xLinux kernel 2.4.x Linux Kernel 2.2.xLinux Kernel 2.2.x Solaris 2.5.1 – 2.8Solaris 2.5.1 – 2.8 HP/UX 10.20HP/UX 10.20

Each vendor can make it’s own interpretation of the Each vendor can make it’s own interpretation of the ICMP RFCs. This creates differences in responses. We’ll ICMP RFCs. This creates differences in responses. We’ll see this again.see this again.

ECHO Broadcast: ExampleECHO Broadcast: Example

ping –b 10.1.1.255

Timestamp request/replyTimestamp request/reply

ICMP codes 13/14ICMP codes 13/14This elicits a time reply from the target host. This elicits a time reply from the target host. RFC 1122 states this RFC 1122 states this MUSTMUST be answered. be answered.http://www.sourceforge.net/projects/singhttp://www.sourceforge.net/projects/sing is used for the examples. is used for the examples.Seems to work on:Seems to work on:

Solaris 2.5.1-2.8Solaris 2.5.1-2.8 Linux 2.4.0 – 2.4.17 (x86)Linux 2.4.0 – 2.4.17 (x86) HP-UX v10.20HP-UX v10.20 AIX 4.xAIX 4.x ULTRIX 4.2-4.5ULTRIX 4.2-4.5 Windows 98, ME, 2000 Professional and Server, XPWindows 98, ME, 2000 Professional and Server, XP CISCO OSS 4.5CISCO OSS 4.5 CISCO IOS 11.2, 11.3CISCO IOS 11.2, 11.3 SonicWall FirewallSonicWall Firewall

Timestamp: ExampleTimestamp: Example

Success: sing –c 1 –tstamp firewallFailure: sing –c 1 –tstamp cisco_router

Timestamp BroadcastTimestamp Broadcast

This is an ICMP timestamp request sent to a This is an ICMP timestamp request sent to a broadcast address. Some hosts respond, some broadcast address. Some hosts respond, some do not.do not.

This seems to work against:This seems to work against: Linux 2.4.x, 2.2.xLinux 2.4.x, 2.2.x Solaris 2.5.1-2.8Solaris 2.5.1-2.8 HP-UX 10.20HP-UX 10.20 AIX v4.xAIX v4.x

Example:Example:[root@localhost root]# sing -tstamp 10.1.1.255[root@localhost root]# sing -tstamp 10.1.1.255

Information Request/ReplyInformation Request/Reply

Codes 15/16Codes 15/16Originally intended for diskless workstationsOriginally intended for diskless workstationsRFC 1812 indicates this should not be answered, and is RFC 1812 indicates this should not be answered, and is obsoleted by protos such as BOOTP, DHCP and RARPobsoleted by protos such as BOOTP, DHCP and RARPHowever, this seems to work against:However, this seems to work against:

HP-UX v10.20HP-UX v10.20 AIX v4.xAIX v4.x ULTRIX 4.2-4.5ULTRIX 4.2-4.5 Cisco Catalyst 5505 w/ OSS v4.5Cisco Catalyst 5505 w/ OSS v4.5 Cisco IOS 11.2Cisco IOS 11.2 Cisco IOS 11.3Cisco IOS 11.3

Example:Example:[root@localhost root]# sing -info 10.1.1.21[root@localhost root]# sing -info 10.1.1.21SINGing to 10.1.1.21 (10.1.1.21): 8 data bytesSINGing to 10.1.1.21 (10.1.1.21): 8 data bytes

Information Request BroadcastInformation Request Broadcast

An Information Request fired off to a broadcast. An Information Request fired off to a broadcast. Again, mixed results.Again, mixed results.Seems to work against:Seems to work against: HP/UX v10.20HP/UX v10.20 CISCO OSS v4.5CISCO OSS v4.5 CISCO IOS 11.2, 11.3CISCO IOS 11.2, 11.3

Example:Example:[root@localhost root]# sing –info 10.1.1.255[root@localhost root]# sing –info 10.1.1.255

Address Mask Request/ReplyAddress Mask Request/Reply

Codes 17/18Codes 17/18Designed to solicit network masksDesigned to solicit network masksRFC 1122 makes these optional, and only RFC 1122 makes these optional, and only authoritative sources should answerauthoritative sources should answerSeems to work on:Seems to work on: Solaris 2.5.1-2.8Solaris 2.5.1-2.8 ULTRIX 4.2 – 4.5ULTRIX 4.2 – 4.5 Windows 95-98Windows 95-98 Windows NT 4 WRKS SP3Windows NT 4 WRKS SP3 CISCO OSS 4.5CISCO OSS 4.5

Address Mask: ExampleAddress Mask: Example

Success: sing –c 1 –mask solaris_boxFailure: sing –c 1 –mask linux_box

Address Mask BroadcastAddress Mask Broadcast

An Address Mask Request fired off to a An Address Mask Request fired off to a broadcast addressbroadcast address

Seems to work against:Seems to work against: CISCO OSS 4.5CISCO OSS 4.5

What we’ve seenWhat we’ve seen

Varieties of ICMP requests will trigger a Varieties of ICMP requests will trigger a matching response on many different matching response on many different operating systemsoperating systems

Methods of determining whether or not a Methods of determining whether or not a host is alivehost is alive

A hint that the possibility exists for some A hint that the possibility exists for some type of basic thumbprintingtype of basic thumbprinting

Absolutely no furry animalsAbsolutely no furry animals

Triggering ICMP Triggering ICMP responses with IP responses with IP

packetspackets

The BasicsThe Basics

ICMP Error MessagesICMP Error Messages

03 Destination Unreachable [RFC792] 03 Destination Unreachable [RFC792] 04 Source Quench [RFC792] 04 Source Quench [RFC792] 05 Redirect [RFC792] 05 Redirect [RFC792] 06 Alternate Host Address [JBP] 06 Alternate Host Address [JBP] 11 Time Exceeded [RFC792] 11 Time Exceeded [RFC792] 12 Parameter Problem [RFC792] 12 Parameter Problem [RFC792]

(listed at (listed at http://http://www.iana.org/assignments/icmpwww.iana.org/assignments/icmp-parameters-parameters))

• These ICMP messages are considered error messages. • Our goal is to get our targets to generate these with IP packets

Typical UDP scanTypical UDP scan

Nmap –sU 10.1.1.1 Gives us this traffic:

nmap burps out a UDP packet(among many others)…

Then monitors for the ICMP PortUnreachable, which indicates a closed port. No response indicates an open port. However, This could also mean an ICMPfilter is in the way. Remember thateven any ICMP response means a livehost! This is very basic IP-based ICMP scanning!

TracerouteTraceroute

01:41:13.420006 10.1.1.252.1053 > mail.nexus.net.33435: udp 10 [ttl 1]01:41:13.420006 10.1.1.252.1053 > mail.nexus.net.33435: udp 10 [ttl 1]

traceroute (ala UNIX) works by first sending UDP packets to the target machine with a TTL (time-to-live) incrementing from 1.

Packets are sent using incremental ports until they reach the target:

01:41:13.420006 10.1.1.252.1053 > mail.nexus.net.33435: udp 10 [ttl 1]01:41:13.452399 10.1.1.252.1053 > mail.nexus.net.33436: udp 10 [ttl 1]01:41:13.455426 10.1.1.252.1053 > mail.nexus.net.33437: udp 10 [ttl 1]01:41:13.478618 10.1.1.252.1053 > mail.nexus.net.33438: udp 1001:41:13.519484 10.1.1.252.1053 > mail.nexus.net.33439: udp 1001:41:13.538871 10.1.1.252.1053 > mail.nexus.net.33440: udp 1001:41:13.559235 10.1.1.252.1053 > mail.nexus.net.33441: udp 1001:41:13.599481 10.1.1.252.1053 > mail.nexus.net.33442: udp 1001:41:13.618556 10.1.1.252.1053 > mail.nexus.net.33443: udp 1001:41:13.639045 10.1.1.252.1053 > mail.nexus.net.33444: udp 10...snip...

TracerouteTraceroute

traceroute then monitors ICMP messages, listening for the TTL exceeded errors:

65.207.86.185 > 10.1.1.252: icmp: time exceeded in-transit [tos 0xc0]Loopback0.GW1.DCA6.ALTER.NET > 10.1.1.252: icmp: time exceeded in-transit0.so-4-1-0.XL1.DCA6.ALTER.NET > 10.1.1.252: icmp: time exceeded in-transitPOS6-0.BR3.DCA6.ALTER.NET > 10.1.1.252: icmp: time exceeded in-transit204.255.174.42 > 10.1.1.252: icmp: time exceeded in-transitpos1-0.dcp-c001.gw.epoch.net > 10.1.1.252: icmp: time exceeded in-transit [tos 0xc0]seri2-0.bal-m200.gw.epoch.net > 10.1.1.252: icmp: time exceeded in-transit [tos 0xc0]206-135-244-114.bal-m200.cust.gw.epoch.net > 10.1.1.252: icmp: time exceeded in-transit...snip...

...until the packets reach the target, at which point an ICMP port unreachableis generated (assuming the remote port is indeed closed):

mail.nexus.net > 10.1.1.252: icmp: mail.nexus.net udp port 33459 unreachable [tos 0xc0]

Traceroute is brokenTraceroute is broken

Traceroute will only work if:Traceroute will only work if: All the midpoints generate ICMP properlyAll the midpoints generate ICMP properly The UDP packets do not get filtered The UDP packets do not get filtered

How can we get traceroute to send UDP to our How can we get traceroute to send UDP to our desired port? A workaround involves the –p desired port? A workaround involves the –p (port option to traceroute):(port option to traceroute):

02:17:45.371735 10.1.1.252.1060 > 216.133.72.230.81: udp 10 [ttl 1]02:17:45.371735 10.1.1.252.1060 > 216.133.72.230.81: udp 10 [ttl 1]02:17:45.413468 10.1.1.252.1060 > 216.133.72.230.82: udp 10 [ttl 1]02:17:45.413468 10.1.1.252.1060 > 216.133.72.230.82: udp 10 [ttl 1]02:17:45.429506 10.1.1.252.1060 > 216.133.72.230.83: udp 10 [ttl 1]02:17:45.429506 10.1.1.252.1060 > 216.133.72.230.83: udp 10 [ttl 1]02:17:45.432905 10.1.1.252.1060 > 216.133.72.230.84: udp 1002:17:45.432905 10.1.1.252.1060 > 216.133.72.230.84: udp 1002:17:45.473402 10.1.1.252.1060 > 216.133.72.230.85: udp 1002:17:45.473402 10.1.1.252.1060 > 216.133.72.230.85: udp 1002:17:45.489134 10.1.1.252.1060 > 216.133.72.230.86: udp 1002:17:45.489134 10.1.1.252.1060 > 216.133.72.230.86: udp 1002:17:45.496745 10.1.1.252.1060 > 216.133.72.230.87: udp 1002:17:45.496745 10.1.1.252.1060 > 216.133.72.230.87: udp 10

traceroute –p 80 216.133.72.230 produces these UDP packets:

the packets still increment! By the time they get to our firewall, they’ll be all wrong! So, we could devise a simple algorithm which involvessubtracting the number of hops from the port number, subtracting one... or....

Traceroute alternativesTraceroute alternatives

Tracerx from Mike Schiffman Tracerx from Mike Schiffman ((http://www.packetfactory.net/Projects/tracerx/http://www.packetfactory.net/Projects/tracerx/) ) or or tcptraceroute by Michael Torentcptraceroute by Michael Toren ( (http://michael.toren.net/code/tcptraceroute/http://michael.toren.net/code/tcptraceroute/) ) uses uses TCP-based triggers to elicit ICMP TCP-based triggers to elicit ICMP messages.messages.hping (hping (http://www.hping.org/http://www.hping.org/) allows ) allows traceroute-like TTL dropping across many traceroute-like TTL dropping across many different protocols.different protocols.

Frag ScanningFrag Scanning

One interesting scanning method involves One interesting scanning method involves sending a single fragmented packet without sending a single fragmented packet without sending subsequent packets. sending subsequent packets. Carefully slicing the packets after the relevant Carefully slicing the packets after the relevant header portions ensures that a firewall can header portions ensures that a firewall can match it against it’s ruleset.match it against it’s ruleset.Our target should time out waiting for the next Our target should time out waiting for the next fragment and throw ICMP at us...fragment and throw ICMP at us...Hping (Hping (http://www.hping.org/http://www.hping.org/) allows us to test ) allows us to test this out:this out:

Frag Scan: hpingFrag Scan: hping

We run tcpdump in the background monitoring ICMP, then launch hping (hping –c 1 –morefrag –dontfrag)After a LONG wait, the solaris box responds- it’s alive!

Frag ScanFrag ScanGeek version:

DF|MF set

NO TCP Flags! (NULL packet)

Frag ScanFrag ScanGeek version:

TTL exceeded from target!

In tests this worked against:In tests this worked against: Solaris 2.8Solaris 2.8 Windows 98, 2000 AS and XPWindows 98, 2000 AS and XP Linux 2.4.xLinux 2.4.x


packetspackets

More advanced: Custom triggersMore advanced: Custom triggers

IP triggersIP triggers

In order to trigger, or generate, ICMP In order to trigger, or generate, ICMP messages certain “bad” IP packets messages certain “bad” IP packets (carrying (carrying anyany underlying protocol) can be underlying protocol) can be sent to a target. sent to a target.

Mangling the IP header can make the Mangling the IP header can make the packet “bad”packet “bad”

IP Protocol FieldIP Protocol Field

One field within IP One field within IP we can easily we can easily “break” is the “break” is the “protocol” field. “protocol” field.

At two bytes, we At two bytes, we have 256 options have 256 options to try.to try.

If we use a valid If we use a valid number, all is number, all is well...well...

IP Protocol FieldIP Protocol Field

However, if we start However, if we start throwing goofy throwing goofy protocol numbers protocol numbers around we’re bound around we’re bound to get...to get...

* see http://www.iana.org/assignments/protocol-numbers

IP Protocol InvalidIP Protocol Invalid

A juicy target A juicy target complains quite complains quite nicely!nicely!

IP Protocol ScanningIP Protocol Scanning

IP Protocol Field is only eight bits, giving a IP Protocol Field is only eight bits, giving a total of 256 options.total of 256 options.

If we fire off all these combinations, If we fire off all these combinations, screening out the ICMP protocol screening out the ICMP protocol unreachables, we can determine the unreachables, we can determine the protocols in use on the target.protocols in use on the target.

NMAP now allows this type of scan...NMAP now allows this type of scan...

NMAP Protocol ScanningNMAP Protocol Scanning

nmap sending protocol messages to the target…[root@localhost]# nmap –sO linux_box


Protocol Unreachable from the target means that protocol is dead…


Geek Question about nmap’s IP packet: Notice anything missing??? This is the whole packet!

NMAP “signature”NMAP “signature”

NMAP only sends the IP portion of the NMAP only sends the IP portion of the packet during this scan. Since a firewall packet during this scan. Since a firewall may not be able to parse the protocols may not be able to parse the protocols under IP, this scan may not pass a under IP, this scan may not pass a firewall.firewall.A “bad” or “filtered” IP Protocol scan will A “bad” or “filtered” IP Protocol scan will show that ALL protocols are available. show that ALL protocols are available. Don’t get too excited when you see Don’t get too excited when you see these ;-)these ;-)

More on Manglin IP FieldsMore on Manglin IP Fields

The IP Protocol field is nice to play with, The IP Protocol field is nice to play with, but there may be others.but there may be others.

Some basic rules should be followed to Some basic rules should be followed to make sure our packets are properly make sure our packets are properly mangled and they make it to our intended mangled and they make it to our intended target.target.

Mangled != suckMangled != suck

Our mangled packet should not totally suckOur mangled packet should not totally suck If the header sucks too bad, our packets won’t make it If the header sucks too bad, our packets won’t make it

to the target.to the target. Use destination ports that have a good chance of Use destination ports that have a good chance of

getting getting toto the target (21, 25, 80 TCP, 53 UDP) the target (21, 25, 80 TCP, 53 UDP) The header needs to trigger ICMP The header needs to trigger ICMP onon our target our target

without exploding, triggering ICMP and getting without exploding, triggering ICMP and getting dropped dropped before it hitsbefore it hits our target. our target.

We need to understand the basic rules of ICMP We need to understand the basic rules of ICMP messages so we don’t jump to conclusions messages so we don’t jump to conclusions about messages we receive. about messages we receive.

Itchy triggerItchy trigger

Routers interpret RFC 1812 differently so Routers interpret RFC 1812 differently so we might need to make adjustments to our we might need to make adjustments to our packet to get it past some routers.packet to get it past some routers.Because of RFC specifications*, Because of RFC specifications*, Checksum and Version Number Checksum and Version Number mustmust be be checked. Invalid values get the datagram checked. Invalid values get the datagram silently discarded by hosts and routers. silently discarded by hosts and routers. (Silent discards bite.)(Silent discards bite.)

* * See RFC 1812 & 1122 (Requirements for IPv4 routers and Internet hosts, See RFC 1812 & 1122 (Requirements for IPv4 routers and Internet hosts, resp.).resp.).

Which fields to mangle?Which fields to mangle?

IP header length, total datagram length and IP IP header length, total datagram length and IP options are fairly benign.options are fairly benign.Bad IP headers should flag a decent IDS, as Bad IP headers should flag a decent IDS, as should outbound ICMP parameter problem error should outbound ICMP parameter problem error messages.messages.Firewalls, however, may not care. As long as a Firewalls, however, may not care. As long as a firewall can properly parse our packets to match firewall can properly parse our packets to match against it’s rule base, the packet should pass. against it’s rule base, the packet should pass. IP header length and IP options are good IP header length and IP options are good examples of fields NOT to mangle through a examples of fields NOT to mangle through a firewall since it may not be able to parse the firewall since it may not be able to parse the packet against its rule base, leaving us with:packet against its rule base, leaving us with:

Which Fields to Mangle?Which Fields to Mangle?

IP total length: So what?IP total length: So what?

Firing off IP packets with a bad total Firing off IP packets with a bad total length field results in an ICMP length field results in an ICMP parameter problem. This at least says parameter problem. This at least says the host is alive.the host is alive.

Firing off IP Total Length: ISICFiring off IP Total Length: ISIC

ISIC (IP Stack Integrity Checker ) by Mike ISIC (IP Stack Integrity Checker ) by Mike Frantzen: Frantzen: http://http://www.packetfactory.netwww.packetfactory.net/Projects/ISIC//Projects/ISIC/Libnet: by Mike Schiffman Libnet: by Mike Schiffman http://www.packetfactory.net/libnet/http://www.packetfactory.net/libnet/

ISIC usage: isic [-v] [-D] -s <source ip> -d <destination ip>ISIC usage: isic [-v] [-D] -s <source ip> -d <destination ip> [-p <pkts to generate>] [-k <skip packets>] [-x <send [-p <pkts to generate>] [-k <skip packets>] [-x <send

packet X times>]packet X times>] [-r <random seed>] [-m <max kB/s to generate>][-r <random seed>] [-m <max kB/s to generate>] Percentage Opts: [-F frags] [-V <Bad IP Version>]Percentage Opts: [-F frags] [-V <Bad IP Version>] [-I <Random IP Header length>][-I <Random IP Header length>]

ISIC: ExampleISIC: Example

Source (-s): 10.1.1.252, Dest (-d): 10.1.1.172, Packets (-p): 3 0% fragged packets (-F 0), 0% bad versions (-V 0), 100% bad header lengths (-I 100) (Response sniffed with tcpdump)

Inverse mappingInverse mapping

When a router receives a packet for an address within When a router receives a packet for an address within it’s network space, it ARPs for the address.it’s network space, it ARPs for the address.If the ARP fails, an ICMP Host Unreachable is If the ARP fails, an ICMP Host Unreachable is generated, or an ICMP Time Exceeded is generated if generated, or an ICMP Time Exceeded is generated if the router gives up.the router gives up.If there is no response at all from the border router, or If there is no response at all from the border router, or we get a reply from the target itself, we can infer that the we get a reply from the target itself, we can infer that the target may be alive and/or filtered. This is the part that is target may be alive and/or filtered. This is the part that is “inversed.”“inversed.”One way to pull this off is by sending ICMP One way to pull this off is by sending ICMP echo replyecho reply packets to the target using “packets to the target using “sing –replysing –reply” since ” since unsolicited ICMP echo replies should be dropped by the unsolicited ICMP echo replies should be dropped by the target.target.


packetspackets

Very advanced: Esoteric trigger Very advanced: Esoteric trigger comboscombos

The rundownThe rundown

OS’s which don’t generate ICMP Protocol OS’s which don’t generate ICMP Protocol UnreachablesUnreachablesICMP Error message quenchingICMP Error message quenchingICMP Error Message Quoting SizeICMP Error Message Quoting SizeICMP Error Message Data IntegrityICMP Error Message Data IntegrityIP Header variantsIP Header variantsPrecedence Bits with ICMP ErrorsPrecedence Bits with ICMP ErrorsDF bit EchoingDF bit Echoing

No Protocol UnreachablesNo Protocol Unreachables

Some OS’s do not reply to the “protocol” Some OS’s do not reply to the “protocol” scan and will not generate ICMP Protocol scan and will not generate ICMP Protocol Unreachable messages.Unreachable messages.

Some of these include:Some of these include: DG/UXDG/UX AIXAIX HP/UXHP/UX

ICMP Error message quenchingICMP Error message quenching

RFC 1812 and 1122 suggest limiting the rate at RFC 1812 and 1122 suggest limiting the rate at which ICMP error messages are sent in reply.which ICMP error messages are sent in reply.

Only a few OS’s follow this.Only a few OS’s follow this.

To test, we saturate a target, and count the rate To test, we saturate a target, and count the rate at which ICMP error messages come back. at which ICMP error messages come back.

This may be affected by several factors. Also This may be affected by several factors. Also remember that ICMP gets dropped on the floor remember that ICMP gets dropped on the floor during heavy load times.during heavy load times.

ICMP Error Message Quoting SizeICMP Error Message Quoting Size

Remember RFC 1122 stating that more than 8 Remember RFC 1122 stating that more than 8 data bytes may be quoted in a response?data bytes may be quoted in a response?Some OS’s do, in fact use more. Others only Some OS’s do, in fact use more. Others only use 8.use 8.Some examples of +8 boxen:Some examples of +8 boxen: Sun SolarisSun Solaris Linux Kernel 2.0.x, 2.2.x, 2.4.xLinux Kernel 2.0.x, 2.2.x, 2.4.x HP/UX 11.xHP/UX 11.x MAC OS 7.55, 8.x, 9.04MAC OS 7.55, 8.x, 9.04(Fyodor talks about this in his popular OS ID paper)(Fyodor talks about this in his popular OS ID paper)

ICMP Error Message Data IntegrityICMP Error Message Data Integrity

Not only will the amount of the quoted Not only will the amount of the quoted datagram’s payload differ, but the actual datagram’s payload differ, but the actual quoted data may differ between OS quoted data may differ between OS implementations as well.implementations as well.

For example, Linux kernels seem to pad For example, Linux kernels seem to pad 20 mystery bytes to the end of the data 20 mystery bytes to the end of the data and Foundry network boxes will append and Foundry network boxes will append 12 bytes to the end.12 bytes to the end.

IP Header variantsIP Header variants

In addition to the payload varying, the IP header In addition to the payload varying, the IP header of the return packet may be modified in any of the return packet may be modified in any number of ways.number of ways.

One example is the TTL value of the return One example is the TTL value of the return packet. Many OS implementations carry their packet. Many OS implementations carry their default own TTL values. Although this value will default own TTL values. Although this value will be reduced when it returns to us, we can easily be reduced when it returns to us, we can easily determine the approximate default value.determine the approximate default value.

(Again, see fyodor’s great OS ID paper)(Again, see fyodor’s great OS ID paper)

Precedence Bits with ICMP ErrorsPrecedence Bits with ICMP Errors

The “TOS” (type of service) byte exist in all The “TOS” (type of service) byte exist in all IP datagrams. IP datagrams.

The precedence field within the TOS byte The precedence field within the TOS byte is open to interpretation according to RFC is open to interpretation according to RFC 1122.1122.

RFC 1122 suggests a value of 0x00.RFC 1122 suggests a value of 0x00.

Linux does not set this value to 0x00. ;-)Linux does not set this value to 0x00. ;-)

(Again, see fyodor’s great OS ID paper)(Again, see fyodor’s great OS ID paper)

DF bit EchoingDF bit Echoing

The “don’t fragment” DF bit, if turned on in The “don’t fragment” DF bit, if turned on in an IP datagram may or may not be echoed an IP datagram may or may not be echoed in a returning IP/ICMP packet.in a returning IP/ICMP packet.

Overload!Overload!

Granted, this is WAY too much Granted, this is WAY too much information. However, it should be obvious information. However, it should be obvious that there is a huge potential for that there is a huge potential for fingerprinting here, both actively and fingerprinting here, both actively and passivelypassively

sing praisesing praise

Fortunately, sing has implemented some Fortunately, sing has implemented some of these features for us!of these features for us!

The –O option allows for basic The –O option allows for basic fingerprinting.fingerprinting.

However, on a real assessment, you However, on a real assessment, you certainly may find yourself wanting to roll certainly may find yourself wanting to roll your own queries.your own queries.

sing -Osing -O[root@DG00001978 root]# ping -c 2 -b 20.X.X.255 | [root@DG00001978 root]# ping -c 2 -b 20.X.X.255 |

awk '{print $4}' | sed 's/://g' | awk '{print $4}' | sed 's/://g' | grep "20." | grep "20." |

xargs -i sing -c 1 -O {} | grep Remotexargs -i sing -c 1 -O {} | grep RemoteWARNING: pinging broadcast addressWARNING: pinging broadcast address<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a Linux 2.0.x or Compaq Tru64<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a UNIX (Linux, Solaris, *BSD, HP-UX, etc.),<*> Remote OS is a Window$ 2k<*> Remote OS is a Window$ 2k...snip......snip...

What we’ve seenWhat we’ve seen

There’s lots of stuff in There’s lots of stuff in them ICMP packetsthem ICMP packets

A Furry animalA Furry animal

Strange tidbitStrange tidbitWindows XP firewall default settings

overviewoverview

Trigger types:Trigger types: ICMP protocol queriesICMP protocol queries

Fire off all the ICMP query types, search for ICMP repliesFire off all the ICMP query types, search for ICMP replies TCP/UDP protocol queries TCP/UDP protocol queries

Fire off all combinations of IP addresses and TCP/UDP ports with Fire off all combinations of IP addresses and TCP/UDP ports with bad lengths searching for ICMP parameter problem repliesbad lengths searching for ICMP parameter problem replies

Make-believe protocol queriesMake-believe protocol queriesFire off bad protocols searching for ICMP protocol unreachable Fire off bad protocols searching for ICMP protocol unreachable replies. Some machines may simply not elicit these. replies. Some machines may simply not elicit these.

If all combinations of protocols and ports and ICMP If all combinations of protocols and ports and ICMP response types are queried, a network map can be response types are queried, a network map can be drawn even if conventional tools won’t see the targets.drawn even if conventional tools won’t see the targets.

ReferencesReferencesOFIR’s ICMP paper: http://www.sys-security.com/OFIR’s ICMP paper: http://www.sys-security.com/Fyodor’s thumbprinting article: Fyodor’s thumbprinting article: http://www.insecure.org/nmap/nmap-fingerprinting-articlehttp://www.insecure.org/nmap/nmap-fingerprinting-article.html.htmlTracerx from Mike Schiffman: Tracerx from Mike Schiffman: http://www.packetfactory.net/Projects/tracerxhttp://www.packetfactory.net/Projects/tracerxtcptraceroute by Michael Toren tcptraceroute by Michael Toren http://http://michael.toren.net/code/tcptraceroutemichael.toren.net/code/tcptraceroute//hping hping http://http://www.hping.orgwww.hping.org//ISIC by Mike Frantzen: ISIC by Mike Frantzen: http://www.packetfactory.net/Projects/ISIC/http://www.packetfactory.net/Projects/ISIC/SING by Alfredo Andres (Slay): SING by Alfredo Andres (Slay): http://http://www.sourceforge.netwww.sourceforge.net/projects/sing/projects/sing Libnet by Mike Schiffman Libnet by Mike Schiffman http://www.packetfactory.net/libnet/http://www.packetfactory.net/libnet/http://http://www.iana.org/assignments/icmpwww.iana.org/assignments/icmp-parameters-parametershttp://www.iana.org/assignments/protocol-numbershttp://www.iana.org/assignments/protocol-numbers

Advanced ICMP Techniques - ICMP Scanning 11.15

Documents

Transcript of Advanced ICMP Techniques - ICMP Scanning 11.15