09.18.03
 By
Laura Chappell
The Internet Control Message Protocol (ICMP) was developed along side
the entire TCP/IP protocol suite as tool for exchanging simple messages
between devices. The messages can indicate that services or hosts
are unavailable or the messages can be used to test connectivity between
devices.
Unfortunately, ICMP is trusting – not requiring any authentication
between devices. This trusting nature can be exploited in a number
of ways. ICMP-based network scans and exploits are often used to identify
networking devices, applications or operating systems and attack network
systems.
ICMP Echo Attacks
The DNS attacks of October 2002 were based on an old ICMP attack
trick. |
Numerous computers sent ICMP echo requests (also referred to as ‘pings’)
to the root DNS servers. Since 12 of the 13 root DNS servers had ICMP
ping enabled on them, they had to respond to each of these echo requests.
This, in effect, was a large-scale distributed denial of service attack
using a simplistic connection testing routing. As the time this article
was written, only 10 of the DNS servers still process and respond
to ICMP echo requests – hopefully we will learn from the October 2002
attack and shut down ICMP echo processes on all 13 root DNS servers.
I advise clients to turn off ICMP echo response on all key devices
within a company network and on the boarder of the Internet connection.
ICMP for Service Scanning
ICMP can be used to identify some services running on network systems
as well.
If a UDP-based (User Datagram Protocol) communication is sent to a
device that does not support the destination application, a “Destination
Unreachable/Port Unreachable” ICMP message may be returned. The scanning
system now knows that the application is not supported on the target.
For example, to determine whether DNS (Domain Name System) is supported
on a target machine, a packet addressed to the DNS service (port 53)
could be sent to the target. If the target sends back an ICMP Destination
Unreachable/Port Unreachable message, we can figure that the target
does not support DNS services. If any other response is received,
we can conclude that the target does indeed support DNS services.
By scanning an entire network and listening to the ICMP responses,
we can easily locate running services on a network. This technique
is used by many scanning and multifunction tools such as nMap, LANGuard,
and NetScanTools.
ICMP Redirection
ICMP can be used to redirect traffic that is routed on a network.
This can cause a disruption in communications or enable a sniffer
to listen in on traffic that normally would not be routed in the sniffer’s
direction.
Redirection is normally used when a client sends data to a router
that does not offer the best path to the destination. The receiving
router sends an ICMP redirection message to a client to point the
sender to another router on the network. The information is cached
on the client’s station (readable through the ROUTE PRINT command)
and used the next time the client wants to communicate to the original
destination network.
ICMP for OS Fingerprinting
OS fingerprinting is the process of determining the operating system
of a target.
Knowing this information is key when someone is planning an OS-specific
attack. There are two types of OS fingerprinting techniques – passive
and active. Passive fingerprinting tools do not send any traffic on
the wire – they only listen and make decisions on the OS types based
on what they hear.
Active OS fingerprinting tools, however, send a series of communications
to the target. One of the key elements of active OS fingerprinting
tools is ICMP. These active OS fingerprinting tools send a series
of normal, malformed and unusual ICMP queries to a target and listen
to the responses.
Figure 1: Notice the ICMP packet with an invalid code, the ICMP
Get address, ICMP Get timestamp, and ICMP Get information packets
used in a LANGuard OS fingerprinting operation.
Note: This trace is available online at http://www.packet-level.com/traceFiles.htm
The basic functionality of ICMP is documented in RFC (Request for
Comment) 792 that can be found online at www.ietf.org.
Reading this document can give you a basic overview of the different
types of ICMP operations.
hacking articles
I have an ethics question for all of you out there that relates to newsletters. I have had offers of articles with instructions on how to hack computers and other systems, along with followups on how to foil the hacking attempts described...
|
|
|
Given the popularity of ICMP amongst the hacking community, I highly
recommend that you get familiar with this useful (but often harmful)
protocol.
Got other ideas for articles/documentation or training? Send email
directly to Laura at lchappell@packet-level.com.
Laura Chappell
Sr. Protocol Analyst
Copyright 2003 Protocol Analysis Institute, L.L.C.
About the Author:
Laura Chappell is the Sr. Protocol Analyst for the Protocol Analysis
Institute. Laura focuses on researching, writing and lecturing on
network analysis and security. In 2003, over 60 of Laura's courses
become available via internet/CD and a series of "White Hat Toolbox:
Security Tools, Tricks and Traces" are releasing at http://www.packet-level.com.
Laura can be reached at lchappell@packet-level.com.
Read this newsletter at: http://www.securitypronews.com/2003/0918.html |
|
|
|
View
Post
Click
To Comment