Active detection methods need sending of malformed packets to host and analyzing of their responses.But these are easily detected and filtering is also easy by ACL and firewalls.
Thus in this new method regular packets are send to the host to generate the responses.The request may be like the request to a web page or file.
This fools the firewall and ACL rules.The packet causes some ICMP error message.This is non detectable.This may pass through the firewall easily as this is similar to normal traffic.
The outgoing ICMP message is allowed and this is studied to detect the OS.
The Main thing : No system admin can disable the Outgoing ICMP error messages.However he can block certain selected messages.This is studied to pin point the OS.
Support The Ethical Hacker !! - Click Here If You Like My Contents !!!
Showing posts with label ICMP. Show all posts
Showing posts with label ICMP. Show all posts
Wednesday, November 18, 2009
Sunday, November 15, 2009
ICMP Scanning
This is mainly used for info gathering..When an ICMP request is sent the response is generated on the basis of the OS. So by analyzing this response we can know the OS of the target.For recording the data we can use recording or sniffing tools.
Main Uses :
Host detection
OS info gathering
Network topography detection
Firewall detection
Format of ICMP Message :
Type value code value Error message
3 3 Port unreachable
3 2 Protocol unreachable
Other ICMP Messages for OS Detection :
ICMP Message Quoting : Difference in the amount of data of info quoted in the errors generated is different for different OS's so we can use this to identify the target OS.
ICMP Error Message Quenching : This compares the reply sent . Refer RFC for more details
ICMP Error Message : Echoing integrity Difference in altercations made in the IP header.
General Countermeasures :
Individual monitoring and filtering of ICMP error message from untrusted network.
Chane default and settings of the responses generated by each system to avoid OS detection
Mislead the attacker by setting response of another OS.
Types of ICMP Scanning :
Host Detection :
This is our simple ping tool.This can be used to find is a host is live or not.The attacker uses the ICMP echo request and the echo reply for the detection.
Uses:
Host detection
DOS attacks
Firewall detection
Countermeasures :
This attack can be filtered at the router level by using a simple access control list
access-list 101 deny icmp any any 8
To filter all the ping request except from the ISP we can use
access-list 101 deny icmp any any 8
access-list 101 permit icmp 0.0.0.255 any 8
Time Stamping:
This allows one system to find out the system time of another system.But this is used nowadays for the OS detection.
The OS detection is done on the basis of the response recieved form the remote host.Different OS's have different responses.
Countermeasure :
to prevent the time stamping we can create an ACL
access-list 101 deny icmp any any 13
To filter all the Time stamping request except from the ISP we can use
access-list 101 deny icmp any any13
access-list 101 permit icmp 0.0.0.255 any13
Address Mask message technique:
This method was originally devised to detect the address mask of the remote host.But now we can use this for OS detection.
This method uses Address mask request and address mask reply for detection.
The working is similar to the Time stamping technique.The reply is analyzed to detect the OS.
Countermeasures :
ACL.
Firewalls.
Main Uses :
Host detection
OS info gathering
Network topography detection
Firewall detection
Format of ICMP Message :
Type value code value Error message
3 3 Port unreachable
3 2 Protocol unreachable
Other ICMP Messages for OS Detection :
ICMP Message Quoting : Difference in the amount of data of info quoted in the errors generated is different for different OS's so we can use this to identify the target OS.
ICMP Error Message Quenching : This compares the reply sent . Refer RFC for more details
ICMP Error Message : Echoing integrity Difference in altercations made in the IP header.
General Countermeasures :
Individual monitoring and filtering of ICMP error message from untrusted network.
Chane default and settings of the responses generated by each system to avoid OS detection
Mislead the attacker by setting response of another OS.
Types of ICMP Scanning :
Host Detection :
This is our simple ping tool.This can be used to find is a host is live or not.The attacker uses the ICMP echo request and the echo reply for the detection.
Uses:
Host detection
DOS attacks
Firewall detection
Countermeasures :
This attack can be filtered at the router level by using a simple access control list
access-list 101 deny icmp any any 8
To filter all the ping request except from the ISP we can use
access-list 101 deny icmp any any 8
access-list 101 permit icmp
Time Stamping:
This allows one system to find out the system time of another system.But this is used nowadays for the OS detection.
The OS detection is done on the basis of the response recieved form the remote host.Different OS's have different responses.
Countermeasure :
to prevent the time stamping we can create an ACL
access-list 101 deny icmp any any 13
To filter all the Time stamping request except from the ISP we can use
access-list 101 deny icmp any any13
access-list 101 permit icmp
Address Mask message technique:
This method was originally devised to detect the address mask of the remote host.But now we can use this for OS detection.
This method uses Address mask request and address mask reply for detection.
The working is similar to the Time stamping technique.The reply is analyzed to detect the OS.
Countermeasures :
ACL.
Firewalls.
Subscribe to:
Posts (Atom)
