A number of tools can be used to perform ICMP probing, including SING, Nmap, and ICMPScan. These utilities and their benefits are discussed here.
SING
Send ICMP Nasty Garbage (SING) is a command-line utility that sends customizable ICMP probes. The main purpose of the tool is to replace the ping command with certain enhancements, including the ability to transmit and receive spoofed packets, send MAC-spoofed packets, and support the transmission of many other message types, including ICMP address mask, timestamp, and information requests, as well as router solicitation and router advertisement messages.
SING is available from http://sourceforge.net/projects/sing. Examples using SING to launch ICMP echo, timestamp, and address mask requests follow. In these examples, I direct probes at broadcast addresses and individual hosts.
Using SING to send broadcast ICMP echo request messages:
$ sing -echo 192.168.0.255 SINGing to 192.168.0.255 (192.168.0.255): 16 data bytes 16 bytes from 192.168.0.1: seq=0 ttl=64 TOS=0 time=0.230 ms 16 bytes from 192.168.0.155: seq=0 ttl=64 TOS=0 time=2.267 ms 16 bytes from 192.168.0.126: seq=0 ttl=64 TOS=0 time=2.491 ms 16 bytes from 192.168.0.50: seq=0 ttl=64 TOS=0 time=2.202 ms 16 bytes from 192.168.0.89: seq=0 ttl=64 TOS=0 time=1.572 ms
ICMP Probing
Using SING to send ICMP timestamp request messages:
$ sing -tstamp 192.168.0.50 SINGing to 192.168.0.50 (192.168.0.50): 20 data bytes 20 bytes from 192.168.0.50: seq=0 ttl=128 TOS=0 diff=327372878 20 bytes from 192.168.0.50: seq=1 ttl=128 TOS=0 diff=1938181226* 20 bytes from 192.168.0.50: seq=2 ttl=128 TOS=0 diff=1552566402* 20 bytes from 192.168.0.50: seq=3 ttl=128 TOS=0 diff=1183728794*
Using SING to send ICMP address mask request messages:
$ sing -mask 192.168.0.25 SINGing to 192.168.0.25 (192.168.0.25): 12 data bytes 12 bytes from 192.168.0.25: seq=0 ttl=236 mask=255.255.255.0 12 bytes from 192.168.0.25: seq=1 ttl=236 mask=255.255.255.0 12 bytes from 192.168.0.25: seq=2 ttl=236 mask=255.255.255.0 12 bytes from 192.168.0.25: seq=3 ttl=236 mask=255.255.255.0
There are a handful of other ICMP message types that have other security implications, such as ICMP type 5 redirect messages sent by routers, which allow for traffic redirection. These messages aren’t related to network scanning, and so they are not detailed here. For details of traffic redirection using ICMP, including exploit code, please see Yuri Volobuev’s BugTraq post at http://seclists.org/bugtraq/1997/Sep/0057.html.
Nmap
Nmap (http://insecure.org/nmap/) can perform ICMP ping sweep scans of target IP blocks easily. Many hardened networks will blanket-filter inbound ICMP messages at border routers or firewalls, so sweeping in this fashion isn’t effective in some cases. Nmap can be run from a Unix-based or Windows command prompt to perform an ICMP ping sweep against 192.168.0.0/24, as shown in Example 4-1.
Example 4-1. Performing a ping sweep with Nmap
$ nmap -sP -PI 192.168.0.0/24
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-04-01 20:39 UTC Host 192.168.0.0 seems to be a subnet broadcast address (2 extra pings). Host 192.168.0.1 appears to be up. Host 192.168.0.25 appears to be up. Host 192.168.0.32 appears to be up. Host 192.168.0.50 appears to be up. Host 192.168.0.65 appears to be up. Host 192.168.0.102 appears to be up. Host 192.168.0.110 appears to be up. Host 192.168.0.155 appears to be up. Host 192.168.0.255 seems to be a subnet broadcast address (2 extra pings). Nmap finished: 256 IP addresses (8 hosts up) scanned in 17.329 seconds
Using the–sPping sweep flag within Nmap doesn’t just perform an ICMP echo request to each IP address; it also sends TCP ACK and SYN probe packets to port 80 of each host. In Example 4-1, Nmap is run with the –sPflag to specify that we’re sending only ICMP echo requests. Overall, using the standard–sPflag is often more effective because it identifies web servers that may not respond to ICMP probes; however, in some environments it is beneficial to use more specific probe types.
ICMPScan
ICMPScan is a bulk scanner that sends type 8, 13, 15, and 17 ICMP messages, derived from Nmap and available from http://www.bindshell.net/tools/icmpscan. The tool is very useful in that it can process inbound responses by placing the network interface into promiscuous mode, thereby identifying internal IP addresses and machines that respond from probes sent to subnet network and broadcast addresses. Example 4-2 shows ICMPScan being run against an internal network block. Because ICMP is a connectionless protocol, it is best practice to resend each probe (using –r 1) and set the timeout to 500 milliseconds (using-t 500). We also set the tool to listen in promiscuous mode for unsolicited responses (using the–cflag).
Example 4-2. Running ICMPScan
$ icmpscan Usage: icmpscan [ options ] target [...] -i <interface> Specify interface. -c Enable promiscuous mode. -A <address> Specify source address of generated packets. -t <timeout> Specify timeout for probe response. -r <retries> Retries per probe. -f <filename> Read targets from the specified file. -E, -P ICMP Echo Probe -T, -S Timestamp -N, -M Netmask -I Info -R Router solicitation -h Display usage information -v Increase verbosity -B Enable debugging output. -n Numeric output (do not resolve hostnames)
