Server Administration

  Home arrow Server Administration arrow Page 2 - IP Network Scanning
SERVER ADMINISTRATION

IP Network Scanning
By: O'Reilly Media
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating:  stars stars stars stars stars / 0
    2008-05-22

    Table of Contents:
  • IP Network Scanning
  • ICMP Probing Tools
  • Identifying Subnet Network and Broadcast Addresses
  • Gleaning Internal IP Addresses

  •  
     

    SEARCH CODEWALKERS

    TOOLS YOU CAN USE

    advertisement

    IP Network Scanning - ICMP Probing Tools


    (Page 2 of 4 )

    A number of tools can be used to perform ICMP probing, including SING, Nmap, and ICMPScan. These utilities and their benefits are discussed here.

    SING

    Send ICMP Nasty Garbage (SING) is a command-line utility that sends customizable ICMP probes. The main purpose of the tool is to replace the ping command with certain enhancements, including the ability to transmit and receive spoofed packets, send MAC-spoofed packets, and support the transmission of many other message types, including ICMP address mask, timestamp, and information requests, as well as router solicitation and router advertisement messages.

    SING is available from http://sourceforge.net/projects/sing. Examples using SING to launch ICMP echo, timestamp, and address mask requests follow. In these examples, I direct probes at broadcast addresses and individual hosts.

    Using SING to send broadcast ICMP echo request messages:

      $ sing -echo 192.168.0.255
     
    SINGing to 192.168.0.255 (192.168.0.255): 16 data bytes
      16 bytes from 192.168.0.1: seq=0 ttl=64 TOS=0 time=0.230 ms
      16 bytes from 192.168.0.155: seq=0 ttl=64 TOS=0 time=2.267 ms
      16 bytes from 192.168.0.126: seq=0 ttl=64 TOS=0 time=2.491 ms
      16 bytes from 192.168.0.50: seq=0 ttl=64 TOS=0 time=2.202 ms
      16 bytes from 192.168.0.89: seq=0 ttl=64 TOS=0 time=1.572 ms

    ICMP Probing

    Using SING to send ICMP timestamp request messages:

      $ sing -tstamp 192.168.0.50
     
    SINGing to 192.168.0.50 (192.168.0.50): 20 data bytes
      20 bytes from 192.168.0.50: seq=0 ttl=128 TOS=0 diff=327372878
      20 bytes from 192.168.0.50: seq=1 ttl=128 TOS=0 diff=1938181226*
      20 bytes from 192.168.0.50: seq=2 ttl=128 TOS=0 diff=1552566402*
      20 bytes from 192.168.0.50: seq=3 ttl=128 TOS=0 diff=1183728794*

    Using SING to send ICMP address mask request messages:

      $ sing -mask 192.168.0.25
     
    SINGing to 192.168.0.25 (192.168.0.25): 12 data bytes
      12 bytes from 192.168.0.25: seq=0 ttl=236 mask=255.255.255.0
      12 bytes from 192.168.0.25: seq=1 ttl=236 mask=255.255.255.0
      12 bytes from 192.168.0.25: seq=2 ttl=236 mask=255.255.255.0
      12 bytes from 192.168.0.25: seq=3 ttl=236 mask=255.255.255.0

    There are a handful of other ICMP message types that have other security implications, such as ICMP type 5 redirect messages sent by routers, which allow for traffic redirection. These messages aren’t related to network scanning, and so they are not detailed here. For details of traffic redirection using ICMP, including exploit code, please see Yuri Volobuev’s BugTraq post at http://seclists.org/bugtraq/1997/Sep/0057.html.

    Nmap

    Nmap (http://insecure.org/nmap/) can perform ICMP ping sweep scans of target IP blocks easily. Many hardened networks will blanket-filter inbound ICMP messages at border routers or firewalls, so sweeping in this fashion isn’t effective in some cases. Nmap can be run from a Unix-based or Windows command prompt to perform an ICMP ping sweep against 192.168.0.0/24, as shown in Example 4-1.

    Example 4-1. Performing a ping sweep with Nmap

      $ nmap -sP -PI 192.168.0.0/24

      Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-01 20:39 UTC
      Host 192.168.0.0 seems to be a subnet broadcast address (2 extra pings).
      Host 192.168.0.1 appears to be up.
      Host 192.168.0.25 appears to be up.
      Host 192.168.0.32 appears to be up.
      Host 192.168.0.50 appears to be up.
      Host 192.168.0.65 appears to be up.
      Host 192.168.0.102 appears to be up.
      Host 192.168.0.110 appears to be up.
      Host 192.168.0.155 appears to be up.
      Host 192.168.0.255 seems to be a subnet broadcast address (2 extra pings).
      Nmap finished: 256 IP addresses (8 hosts up) scanned in 17.329 seconds

    Using the–sPping sweep flag within Nmap doesn’t just perform an ICMP echo request to each IP address; it also sends TCP ACK and SYN probe packets to port 80 of each host. In Example 4-1, Nmap is run with the
    –sPflag to specify that we’re sending only ICMP echo requests. Overall, using the standard–sPflag is often more effective because it identifies web servers that may not respond to ICMP probes; however, in some environments it is beneficial to use more specific probe types.

    ICMPScan

    ICMPScan is a bulk scanner that sends type 8, 13, 15, and 17 ICMP messages, derived from Nmap and available from http://www.bindshell.net/tools/icmpscan. The tool is very useful in that it can process inbound responses by placing the network interface into promiscuous mode, thereby identifying internal IP addresses and machines that respond from probes sent to subnet network and broadcast addresses. Example 4-2 shows ICMPScan being run against an internal network block. Because ICMP is a connectionless protocol, it is best practice to resend each probe (using –r 1) and set the timeout to 500 milliseconds (using-t 500). We also set the tool to listen in promiscuous mode for unsolicited responses (using the–cflag).

    Example 4-2. Running ICMPScan

    $ icmpscan
    Usage: icmpscan [ options ] target [...]
      -i <interface> Specify interface.
      -c             Enable promiscuous mode.
      -A <address>   Specify source address of generated packets.
      -t <timeout>   Specify timeout for probe response.
      -r <retries>   Retries per probe.
      -f <filename>  Read targets from the specified file.
      -E, -P         ICMP Echo Probe
      -T, -S         Timestamp
      -N, -M         Netmask
      -I             Info
      -R             Router solicitation
      -h             Display usage information
      -v             Increase verbosity
      -B             Enable debugging output.
      -n             Numeric output (do not resolve hostnames)

    $ icmpscan –c -t 500 -r 1 192.168.1.0/24
    192.168.1.0: Echo (From 192.168.1.17!) 192.168.1.0: Address Mask [255.255.255.0] (From 192.168.1.17!)
    192.168.1.7: Echo
    192.168.1.7: Timestamp [0x03ab2db0, 0x02d4c507, 0x02d4c507]
    192.168.1.7: Address Mask [255.255.255.0] 192.168.1.8: Echo
    192.168.1.8: Address Mask [255.255.255.0]

    More Server Administration Articles
    More By O'Reilly Media

    blog comments powered by Disqus

    SERVER ADMINISTRATION ARTICLES

    - Server Responses to Client Communication
    - Authentication in Client/Server Communication
    - Client/Server Communication
    - Understanding Awk in the UNIX Shell
    - Stream Editor in the UNIX Shell
    - Processes in the UNIX Shell
    - Migrating from Windows to Wine
    - Wine: Not Another Emulator
    - Preventive Measures to Block SSH Attacks
    - Monitoring Temperatures with Cacti
    - Cacti: RRDTool-based Graphing Solution
    - Network Magic 5.0 Review
    - Netfilter and Iptables Overview
    - Installing and Configuring Squid
    - Clickfree PC Backup Systems Compared


    © 2003-2012 by Developer Shed. All rights reserved. DS Cluster 9 - Follow our Sitemap