Home page logo

bugtraq logo Bugtraq mailing list archives

ICMP Usage In Scanning v2.0 - Research Paper
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Fri, 1 Sep 2000 20:56:48 +0200

I have finished the second version of my research paper "ICMP usage in
scanning". The first version was published in July 1st, 2000.

Introduction to Version 2.0
Quite a large number of new OS fingerprinting methods using ICMP, which
I have discovered are introduced with this revision. Among those methods,
some can be used in order to identify Microsoft Windows 2000 machines;
One would allow us to distinguish between Microsoft Windows operating
system machines and the rest of the world; Another would allow us
to distinguish between SUN Solaris machines and the rest of the world.
More methods are introduced in the paper.

I have also tried to be accurate as possible with data presented in this
paper. Few tables have been added to the paper mapping the behavior of
the various operating systems I have used. These tables describe the
results I got from the various machines after querying them with the
various tests introduced with this paper.

I have also corrected and tuned the information, trying to pinpoint exactly
which OS will do what.

I hope the second version would be beneficial in understanding the hazards
the ICMP protocol introduce if you do not filter it correctly.

For corrections/ additions/ suggestions for this research paper, please
send email to ofir () itcon-ltd com  Further Information and updates would
be posted to http://www.sys-security.com.

From the Introduction to Version 1.0:

"The Internet Control Message Protocol is one of the debate full
protocols in the TCP/IP protocol suite regarding its security hazards.
There is no consent between the experts in charge for securing Internet
networks (Firewall Administrators, Network Administrators, System
Administrators, Security Officers, etc.) regarding the actions that
should be taken to secure their network infrastructure in order to
prevent those risks.

In this paper I have tried to outline what can be done with the ICMP
protocol regarding scanning."

The paper deals with plain Host Detection techniques, Advanced Host
Detection techniques, Inverse Mapping, Trace routing, OS finger
printing methods with ICMP, and which ICMP traffic should be
filtered on a Filtering Device.

The paper can be downloaded from http://www.sys-security.com.
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf. ~600kb.
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.ps.  ~2.55mb.


Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
ITcon, Israel.

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

  By Date           By Thread  

Current thread:
  • ICMP Usage In Scanning v2.0 - Research Paper Ofir Arkin (Sep 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]