|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix |
News | ICMP protocol | Recommended Links | Recommended Articles | DoS Attacks |
Mausezahn | Scapy | fping | hping2 | httping |
nmap | mtr | Firewalk | Humor | Etc |
Local cretinism is the historical curse of the security
|
Internet Control Message Protocol ICMP is service oriented protocol that is used mainly as a feedback/query mechanism for the IP protocol and routing. It's defined by RFC 792 - Internet Control Message Protocol (http://www.ietf.org/rfc/rfc0792.txt ).
There are two types of ICMP messages.
Connection related messages (if a packet or a connection has problems on the IP layer), for example:
Time to live expired (mostly seen during traceroutes) - type 11 code 0
Fragmentation needed, but don't fragment flag set - type 3 code 4 (see below)
Port unreachable (UDP connection to non-listening port) - type 3 code
3
Standalone ICMP messages (pings). The sending side initializes the identifier (used to identify Echo requests aimed at different destination hosts) and sequence number (if multiple Echo Requests are sent to the same destination host), adds some data to the data field and sends the ICMP Echo to the destination host. In the ICMP header, the code equals zero. The recipient should only change the type to ECHO Reply and return the datagram to the sender (and the checksum of the ICMP header).
|
HPING2 is a popular network tool that can generate custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. HPING2 handles fragmentation, arbitrary packet body and size and can be used in order to transfer files under supported protocols.
Several other tools also allow to generate ICMP datagrams. See Mausezahn and Scapy
Those datagrams can be used for various tasks: firewall checks, to check if particular host is alive, OS Fingerprinting, etc. Here is some additional info from hping wiki:
In order to identify the connection/packet on which error ICMPs are sent, several bytes of the original packet are quoted inside the error packet. The RFC calls for quoting the entire IP header + 64bit (8 bytes) of the original packet's layer 4. For offending TCP/IP and UDP packets, this is enough to get the IP protocol, source IP, destination IP, and the source and destination ports, which is usually enough information to identify the offending connection. This is also used by some state keeping firewalls to pass the ICMP without an explicit rule allowing ICMP, based on it's relevance for the connection. Standalone ICMP packetsThese are packets that are potentially unrelated to any other connection. They mean to perform an operation in and on themselves. These packets are usually defined in pairs, where one is the "request", and the other is the "response".
Typical messages seen on the internet:Echo request/reply (Ping) - type 8 (request) and type 0 (reply)
Typically, the response message has a type that is one more than the request message. The noteable exception to this rule is the "echo request" message (aka "ping"), that is type 8, while the echo reply message is type 0.Common ICMP related connectivity problems
Tunneled connections, such as ADSL PPPoE or PPTP connections, typically lower the maximum transfer unit MTU. This means a packet needs to be fragmented in order to fit the narrower pipe of the tunneled connection. Many hosts employ an algorithm called "path MTU discovery", or PMTU. This algorithm relies heavilly on dropped packets being reported using the ICMP "Fragmentation needed but don't fragment set" message (type 3 code 4). Sadly, some over-eager firewall admins block all ICMP messages, type 3 code 4 included. This results in attempts to download large files/email to hang indefenitely, as big packets are repeatedly sent, repeatedly dropped, and the ICMP that reports this drop is dropped as well. Worse, this problem only happend with some sites, as the problem is really not on the user's end at all.The way to deal with this problem is to decrease the maximum segment size MSS advertised on the initial TCP/IP SYN packet. This can be achieve by either configuring the firewall that does the NAT (clamp MSS in IPTables), or by setting each machine's MTU to match that of the ADSL (1450 is a good value for ethernet based home networks).
|
Switchboard | ||||
Latest | |||||
Past week | |||||
Past month |
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. See interactive tutorial and the quick demo: an interactive session (some examples may be outdated).
What makes scapy different from most other networking tools
First, with most other tools, you won't build someting the author did not imagine. These tools have been built for a specific goal and can't deviate much from it. For example, an ARP cache poisoning program won't let you use double 802.1q encapsulation. Or try to find a program that can send, say, an ICMP packet with padding (I said padding, not payload, see?). In fact, each time you have a new need, you have to build a new tool.Second, they usually confuse decoding and interpreting. Machines are good at decoding and can help human beings with that. Interpretation is reserved to human beings. Some programs try to mimic this behaviour. For instance they say "this port is open" instead of "I received a SYN-ACK". Sometimes they are right. Sometimes not. It's easier for beginners, but when you know what you're doing, you keep on trying to deduce what really happened from the program's interpretation to make your own, which is hard because you lost a big amount of information. And you often end up using tcpdump -xX to decode and interpret what the tool missed.
Third, even programs which only decode do not give you all the information they received. The network's vision they give you is the one their author thought was sufficient. But it is not complete, and you have a bias. For instance, do you know a tool that reports the padding ?
Scapy tries to overcome those problems. It enables you to build exactly the packets you want. Even if I think stacking a 802.1q layer on top of TCP has no sense, it may have some for somebody else working on some product I don't know. Scapy has a flexible model that tries to avoid such arbitrary limits. You're free to put any value you want in any field you want, and stack them like you want. You're an adult after all.
In fact, it's like building a new tool each time, but instead of dealing with a hundred line C program, you only write 2 lines of Scapy.
After a probe (scan, traceroute, etc.) Scapy always gives you the full decoded packets from the probe, before any interpretation. That means that you can probe once and interpret many times, ask for a traceroute and look at the padding for instance.
Scapy Project
Scapy runs natively on Linux, and on most Unixes with libpcap, libdnet and their respective python wrapper (see scapy's portability page).Scapy < 2.x needs Python 2.4 or upcomming versions.
Scapy ≥ 2.x needs Python 2.5 or upcomming versions.
- Scapy's latest release (executable zip)
- Scapy's latest release (tar.gz) (take this one if your system says the zip is corrupted)
- Scapy's latest revision
- Scapy's debian package (not always up to date)
- Scapy's RPM package (not always up to date)
- ChangeLog
- Scapytain: a web application to store, organise and run test campaigns on top of Scapy
- UTscapy: Unit Testing with scapy (integrated with Scapy 2.x)
- WifiTap: Wi-Fi traffic injection
- local copy of Scapy OLSR add-on
Mausezahn (German pronunciation: [ˈmaʊ̯zəˌʦaːn], German for "mouse tooth") is a fast network traffic generator written in C which allows the user to craft nearly every possible and "impossible" packet. Since version 0.31 Mausezahn is open source in terms of the GPLv2. Herbert Haas, the original developer of Mausezahn, died on 25 June 2011.[1] The project has been incorporated into the netsniff-ng toolkit, and continues to be developed there.[2]
Typical applications of Mausezahn include:
Testing or stressing IP multicast networks
Penetration testing of firewalls and IDS
Finding weaknesses in network software or appliances
Creation of malformed packets to verify whether a system processes a given protocol correctly
Didactical demonstrations as lab utilityMausezahn allows sending an arbitrary sequence of bytes directly out of the network interface card. An integrated packet builder provides a simple command line interface for more complicated packets. Since version 0.38, Mausezahn offers a multi-threaded mode[3] with Cisco-style command line interface.
fping is a ping-like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding. fping differs from ping in a way that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping. Instead of sending pings to one target until it times out or replies, fping will send out a ping packet and move on to the next target in a round-robin fashion.
Mausezahn is a fast traffic generator which allows you to send nearly every possible and impossible packet. Mausezahn can be used, for example, as a traffic generator to stress multicast networks, for penetration testing of firewalls and IDS, for simulating DoS attacks on networks, to find bugs in network software or appliances, for reconnaissance attacks using ping sweeps and port scans, or to test network behavior under strange circumstances. Mausezahn gives you full control over the network interface card and allows you to send any byte stream you want (even violating Ethernet rules).Release focus: Code cleanup
Changes:
The tarball supports easier building of the binary via cmake. Furthermore, Mausezahn has now been licensed clearly under the GPLv2 (there was some confusion in the previous version). The Syslog protocol is now supported. Minor bugs have been fixed.
Index of /repositories/home:/peternixon/openSUSE_Factory/srchping-2.0.0-5.16.src.rpm 06-Sep-2007 15:19 105K [ ] hping-2.0.0-5.24.src.rpm 06-Sep-2007 ... Apache/2.2.6 (Linux/SUSE) Server at download.opensuse.org Port 80.
download.opensuse.org/repositories/home:/peternixon/openSUSE_Factory/src/ - 5k -
You could try any of the tools below:
hping2.tgz - one of the best tools for building ICMP/TCP/UDP packets from
the command line. Useful for port scanning, network mapping, and general
purpose network security research. [H]
isic.tgz - a Libnet based tool for generating garbage Ethernet/IP/UDP/TCP
traffic [H]
sing.tgz - another tool for generating ICMP datagrams [H]
sendip.tgz - a nice command-line tool for generating IP, IPv6, UDP, TCP, and
RIP traffic that is under active development. [H]
sendpkt.tgz - another command-line packet generation tools
mpac.tgz - a packet generation tool that allows you to specify a file for
each layer (TCP,IP,Ethernet)
nemesis.tgz - Another Libnet based "packet-injection" suite that support
OSPF and IGMP along with the usual [H]
nasl.tgz - NASL is the language used by Nessus scanner to conduct
vulnerability checks.
packedit.tgz - contains editcap, a utility from ethereal for modifying
captured tcpdump files and tcpreplay, for replaying captured tcpdump files.To get them all in one Linux Distro, go to
http://trinux.sourceforge.net/
Alan Ridgeway
---------------------------------------------
I was a peripheral visionary.
I could see the future,
but only way off to the side.
--Steven Wright
--------------------------------------------
To add the package:
Also listed in: securitypkg_add -r sing
required to build: net/libnet
http://heanet.dl.sourceforge.net/sourceforge/sing/http://aleron.dl.sourceforge.net/sourceforge/sing/ http://umn.dl.sourceforge.net/sourceforge/sing/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/
CVSWeb : Sources : Main Web Site : PortsMon
Sing is a little tool that sends ICMP packets fully customized from command line. The main purpose is to replace/complement the niceful ping command with certain enhancements as:
WWW: http://sourceforge.net/projects/sing/ --Roman <[email protected]>
- Send fragmented packets (Linux and BSD).
- Send monster packets > 65534 (Linux and BSD).
- Send/read spoofed packets.
- Send many ICMP Information types in addition to the ECHO REQUEST type sent by default as Address Mask Request, Timestamp, Information Request, Router Solicitation and Router Advertisement.
- Send many ICMP error types: Redirect, Source Quench, Time Exceeded, Destination Unreach and Parameter Problem.
- Send to host with Loose or Strict Source Routing.
- Use little fingerprinting techniques to discover Windows or Solaris boxes.
- Send ICMP packets emulating certain OS: Cisco, Solaris, Linux, Shiva, Unix and Windows at the moment.
written by antirez. Packet Filter, latency testing tool. Similar to Firewalk.
hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping2, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc.
More information on this package can be found on:
- hping wiki
- Hping tutorial, Philippe Bogaerts
- Idle Scanning and related IPID games, Fyodor
- The hping Idle Host Scan, Erik J. Kamerling
- Packet Crafting via HPing, Don
- Testing IDS rulesets with HPing, Don
- A Hacker's-Eye View, Don Parker
- Testing Connectivity Protocols, Joseph D. Sloan
- Hping tutorial, Philippe Bogaerts
- Phrack 60 - Firewall spotting and networks analisys with a broken CRC
- Debian web site.
Active reconnaissance network security tool by Mike D. Schiffman
License: BSD
Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.
Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an
ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.URL: http://www.packetfactory.net/projects/firewalk/Firewalk
RPM Search firewalk-5.0-1.2.fc5.rf.i386.rpm
Firewalk: Can Attackers See Through Your Firewall?, Firewalking, Strategic Scanning and Assessments of Remote Hosts (SSARH),
9th USENIX Security Symposium Paper Defeating TCP/IP Stack Fingerprinting Matthew Smart, G. Robert Malan, Farnam Jahanian
A practical approach for defeating Nmap OS-Fingerprinting
[PDF]
ICMP Usage in Scanning. Complete how-to
-
Cached -
Similar pages
From: Ofir Arkin <ofir_at_sys-security.com>
Date: Mon, 4 Jun 2001 01:17:44 -0700
I am pleased to announce the availability of version 3.0 of my research
paper "ICMP Usage In Scanning".Version 3.0 introduces significant changes made to the text.
The paper now starts with an introduction to the ICMP Protocol. The
introduction explains what is the ICMP protocol; it?s message types, and
where and when we should expect to see these.The following chapters are divided into several subjects ranging from Host
Detection to Passive Operating System Fingerprinting.An effort was made to offer more illustrations, examples and diagrams in
order to explain and illustrate the different issues involved with the ICMP
protocol?s usage in scanning.The paper is divided into the following chapters:
- Chapter 1 is the Introduction
- Chapter 2 is an Introduction to the ICMP Protocol
- Chapter 3 deals with Host Detection methods using the ICMP Protocol
- Chapter 4 handles Advanced Host Detection methods using the ICMP Protocol
- Chapter 5 talks about the technique known as "Inverse Mapping"
- Chapter 6 goes through the traceroute functionality
- Chapter 7 is dedicated to Active Operating System Fingerprinting using the
ICMP
Protocol. The chapter is divided into four parts:- Regular queries
- Crafted queries
- Error Messages
- Futuristic Methods- Chapter 8 explains the Usage of ICMP in the Passive Operating System
Fingerprinting Process. This is a new chapter, which was added with this
version.
- Chapter 9 suggests strategies when building a correct rule base with a
Firewall
- Chapter 10 is dedicated to acknowledgmentsThe various appendixes offer:
- Several tables presented in the text
- Some Host based Security measures available with Linux based on Kernel
2.4.x and
with Sun Solaris 8.
- A snort rule base for dealing with the ICMP tricks illustrated within the
text.The new version can be downloaded from The Sys-Security Group?s web site in
PDF and ZIP formats. This is due to the large size of the PDF file.http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.zip
The file size is ~ 1.75mb when zippedhttp://www.sys-security.com/archive/papers/ICMP_Usage_v3.0.pdf
The file size is ~ 5.39mb.
LISA 2002 - 16th Systems Administration Conference - Paper Over-Zealous Security Administrators Are Breaking the Internet Richard van den Berg - Trust Factory b.v. Phil Dibowitz - University of Southern California
SANS Intrusion Detection FAQ How can attacker use ICMP for reconnaissance
Hping tutorial, Philippe Bogaerts
Idle Scanning and related IPID games, Fyodor
The hping Idle Host Scan, Erik J. Kamerling
Packet Crafting via HPing, Don
Testing IDS rulesets with HPing, Don
A Hacker's-Eye View, Don Parker
Testing Connectivity Protocols, Joseph D. Sloan
Hping tutorial, Philippe Bogaerts
Phrack 60 - Firewall spotting and networks analisys with a broken CRC
[PDF] Attack Signature Matching and Discovery in Systems Employing ...pintday.org Magnification Attacks Smurf and Fraggle
Passive Network Discovery for Real Time Situation Awareness
[PDF] Active Probing with ICMP Packets
How to verify that Snort is operating
You can manually check Snort using the "ICMP Large ICMP Packet" rule. In order for this test to work, you'll need to make sure you have not disabled the "ICMP Large ICMP Packet" rule and that it's possible to send an ICMP packet larger than 800 bytes from a network defined as $EXTERNAL_NET into the network defined as $HOME_NET (see your snort.conf file and How to define Snort's configuration variables). If those conditions are met, either of the following should trigger an alert:ping -s 1024 {target host} (Linux) orping -l 1024 (target host) (Windows). If neither test works, then Snort likely isn't working and/or packets aren't getting through. A brute force troubleshooting method is to add some simple rules to the very bottom of your snort.conf:
- alert ip any any -> any any (msg:"Got an IP Packet"; classtype:not-suspicious; sid:2000000; rev:1;)
- alert icmp any any -> any any (msg:"Got an ICMP Packet"; classtype:not-suspicious; sid:2000001; rev:1;)
- alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:2000499; rev:4;)
The first two rules should generate an alert upon seeing any IP or ICMP packet, respectively. Since they will trigger on every single packet on the network these aren't rules you want to run on a heavily loaded production segment! Run them on a smaller or test segment if necessary. The last rule is a copy of SID (rule) 499 (Note that Snort.org reserves SID 1-1,000,000 for "official" rules. See the Snort User's Manual at Snort.org) modified to make it much more loose to increase alert generation for our testing purposes. Normally you'll want to avoid loose rules since they lead to false positives.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March, 12, 2019