ICMP Scanning

This is mainly used for info gathering..When an ICMP request is sent the response is generated on the basis of the OS. So by analyzing this response we can know the OS of the target.For recording the data we can use recording or sniffing tools.

Main Uses :
Host detection
OS info gathering
Network topography detection
Firewall detection

Format of ICMP Message :

Type value              code value           Error message
       3                             3                  Port unreachable
       3                             2                  Protocol unreachable

Other ICMP Messages for OS Detection :

ICMP Message Quoting : Difference in the amount of data of info quoted in the errors generated is different for different OS's so we can use this to identify the target OS.

ICMP Error Message Quenching : This compares the reply sent . Refer RFC for more details

ICMP Error Message : Echoing integrity Difference in altercations made in the IP header.

General Countermeasures :
Individual monitoring and filtering of ICMP error message from untrusted network.
Chane default and settings of the responses generated by each system to avoid OS detection
Mislead the attacker by setting response of another OS.

Types of ICMP Scanning :

Host Detection :
 This is our simple ping tool.This can be used to find is a host is live or not.The attacker uses the ICMP echo request and the echo reply for the detection.
Uses:
Host detection
DOS attacks
Firewall detection
Countermeasures :
This attack can be filtered at the router level by using a simple access control list
access-list 101 deny icmp any any 8
To filter all the ping request except from the ISP we can use
access-list 101 deny icmp any any 8
access-list 101 permit icmp 0.0.0.255 any 8

Time Stamping:
This allows one system  to find out the system time of another system.But this is used nowadays for the OS detection.
The OS detection is done on the basis of the response recieved form the remote host.Different OS's have different responses.

Countermeasure :
to prevent the time stamping we can create an ACL
access-list 101 deny icmp any any 13

To filter all the Time stamping request except from the ISP we can use
access-list 101 deny icmp any any13
access-list 101 permit icmp 0.0.0.255 any13


Address Mask message technique:
This method was originally devised to detect the address mask of the remote host.But now we can use this for OS detection.
This method uses Address mask request and address mask reply for detection.
The working is similar to the Time stamping technique.The reply is analyzed to detect the OS.

Countermeasures :
ACL.
Firewalls.