4.0 Application of Advanced Host Probation in ICMP Protocol
http://91mail.51.net
We will focus on the type of several ICMP error messages that triggered, which is returned from a target IP address (host).
We will cause an object to generate an ICMP error message by damaging the value of a field in the query.
In order to produce several different ICMP error messages we have a few fields for selection. By querying all the unacceptable conditions in the host on the target IP address, the following OS kernels have prompted an ICMP error message. There is only one exception, all of the wrong conditions will always trigger an ICMP error message. Detect whether a filtering device is enforcing its filtering criteria to transfer from network transport to our target IP address, which will lead us to use advanced host detection methods. The target host can force filter (for example, the host based on the firewall), or it can be done over the network device or through another security device.
We can also utilize advanced host probing methods to detect ACLs forced by a filtering device on the network.
4.1 Control ICMP Parameter Problem Error Packet
An ICMP parameter problem error message is sent when a router or host handles datagram and finds a problem with the IP header parameter, which is not explicitly hidden by another ICMP error message, when it is judged When the datagram is discarded, the ICMP parameter problem error message is sent. In order to take advantage of this method, we need to analyze the IP header and determine the value of the field, this value may lead an ICMP parameter problem error message from the target IP address (Host) returned in the query returned.
We need to remember the field directory that may be damaged, you need to select only fields, which don't have any other ICMP error packets associated with it.
This will force the target IP address to send an ICMP parameter problem error message and display its IP address. We can receive two types of ICMP parameter problem error packets:
Encoding 0 - This indicator will indicate an exact byte in the source IP header that causes problems, or encoding 2 - is the value of the head length or the total packet length of the IP datagram, it does not seem to be too accurate. send.
RFC1812 requires a router to be valid for the following fields when processing a packet. 29: Checking and - a router must verify that any received IP inspection and must discard the message including invalidation and.
According to RFC 1122, a host should verify the validity of the following fields when processing the packet 30.
30: Translation number - If not 4, a host must discard the IP packet.
Check and - a host should verify any of the received datagrams and each discarded datagram.
Sending such an IP datagram is possible. This datagnet has a damaged IP header field value and is not discarded during the detector. It is still sent.
Different routers perform different checks about the IP header value (different executions and explanations of RFC1812) should be recorded.
When a router stops the IP packet due to the bad IP header field value, and when a ICMP parameter problem error message is sent, it identifies the router product and the IP header value of the calibration error according to a field is not possible. Verified by special router products.
A router may be larger than a host's IP header field value. This may cause the router to be a conveyance means for IP datagram, and the host is a destination and more data reported.
This constraint allows us to use a large number of fields; some of them are critical to our packets to reach its destination, which is no longer listed.
The conditions are slightly detailed to the usage of the number of fields. In fact it is about the head length, the total datagram length, and the IP option field value.
Since we locate a field value in a part of the IP head of the packet, we can transfer any protocols about triggering the IP datagram. This method is very advantageous with random access from the network because a host should generate such an error message to cope with a schematic situation. This, if they are objects of the detector, the router must also generate an ICMP parameter problem error message. Downside for this method is a detection. The intrusion detection system should be alert to abnormalities in invasion of network transportation. The information package that carries an error IP header value or an ICMP parameter problem that leaves the network is usually not seen. We can use this type of host detection method to brush a mechanism of the entire network and return the results. This result will map all hosts (and network devices) that randomly accessed from the network. Is a filter device current?
If the target host is being protected, we can easily detect its existence. We are using the query, ask our object to get an ICMP parameter problem error message and return, if we receive the returned reply, it will indicate that something we suspicious is approaching. Or IP addresses cannot be used or filtering the device is filtered. Even if the filter is protecting the target network, we can still try to send these pseudo packets, which we will use more logic. We will use a priority protocol and port, and the configuration of the filtering device ACL is likely to be allowed. We can use, for example, TCP WITH PORTS 21, 25, 80; UDP Port 53. This will work, because for most firewalls in today's market, if some fields have the correct value, it is invalid. The total IP data report length field value is a good example. If the firewall can match it based on the rules of the query parameter, and its rule base allows the query, an error message will be extended to 31 compared to the query. An example is given here, using ISIC's effective writing, sending generated packets to the target computer with Miike Frantzen32.isc. Its main purpose is to focus on the IP stack, find the vulnerabilities on the firewall, inspect the execution of the detection system and firewall. Users can specify how long the packet has become a fragment, hold IP options, TCP options, emergency indicators, and more.
The next example has been from a LinuxBased Machine to A Microsoft Windows
20 packets were sent on NT WRKS 4 SP4 BASED MACHINE (THE -P Option with ISIC). The datagram has not become a fragment, and the wrong IP version number is not sent. The only mysterious thing sent to the IP head is a random IP header length value, which has extended ICMP parameter code 2 error packets, and then 1 has been prepared.
31: I personally think that the firewall / filtering device should test the validity of those used to get the ICMP parameter problem error packets and do not accept this transport.
[root @ stan packetshaping] # ./isic -s 192.168.5.5 -d 192.168.5.15 -p 20 -f 0 -v 0 -i 100 Compiled Against Libnet 1.0 Installing Signal Handlers. SEEDING WITH 2015 No Maximum Traffic Limiter Bad IP Version = 0% odd ip header length = 100% frame'd PCNT = 0%
Wrote 20 packets in 0.03s @ 637.94 pkts / s
The tcpdump trace:
12: 11: 05.843480 Eth0> Kenny.s-security.com> cartman.sys- security.com: IP-proto-110 226 [TOS 0xE6, ECT] (TTL 110, ID 119, Optlen = 24 [| ip]) 12: 11: 05.843961 Eth0 p cartman.sys-security.com> kenny.sys- security.com: ICMP: Parameter Problem - OcTet 21 Offering Pkt: Kenny.sys-security.com> Cartman.sys-security.com: IP -Proto-110 226 [TOS 0xE6, ECT] (TTL 110, ID 119, Optlen = 24 [| |]) (TTL 128, ID 37776)
An incorrect usage of the IP option field value is to almost always trigger an ICMP parameter problem error message.
4.1.1 ACL detection
We can use this host probe to detect a forced ACL configuration to become a filter device on the protection network.
In this type of query, any protocol can go deep into the offending packet. For the combination of protocols available on the target network of the entire IP range (UDP and TCP ports, the type and code of ICMP), we can take advantage of it. We need to accurately damage this OFFENDING packet. If we send a wrong IP header length value, we will stop the query when they check it when they check it when they check it. They will not match the rules based on query. This is because some of the parameters found by the firewall cannot be matched, or their location beyond the boundaries of the IP header. We can use UDP and TCP to specify destination ports and source ports, or use, for example, ICMP types and code fields. (If a relatively long error value is given).
Therefore, IP header is no problem, you can leave two IP header values:
Total length
IP option
Some firewalls on the market will stop any packets with IP options. The reason is that some firewalls cannot be sensitive to the IP options.
We only left the total length field value. In this field, the damage value should be sent, will raise the host to send an ICMP parameter problem error message. It requires a firewall to access information, which requires a matching packet and its rule basis. This means that a corrupted total length field value can only be run on the data part of the priority protocol used. If we ask the information package than it is actually small, what does not happen to all events. For example, we get an ICMP Echo requires query, without any data to carry it, it is still seen as reasonable transportation (this is some tools for efficiency, just like nmap and hping2). We can only send a whole IP datagram, which requires our information package than actual. The host will try to capture data from the range that it is not there, and will issue an ICMP parameter problem code 2 error packet to return to the IP address being queried. It will find the host through the firewall (if the ACL is allowed), and generates an error message to return to the IP address being queried. If we explore the target network for the entire IP range, use all possible joint protocols and services (port / types and code), which will draw the map of the target network layout, and allow us to determine that the ACL filtering device is known in the target network. of.
4.1.1.1 ACL Detection - An example of using ICMP as a priority agreement
When the in-depth protocol inside the offending packet is ICMP, we will ask the target network with all possible federated IP addresses and ICMP questions. If we receive a reply from an IP address within the target network IP range, it will indicate that a host can get from the Internet, with a type of ICMP query message, the message is deep into the OFFENDING packet inside . It indicates that this ICMP question message is allowed to reach an IP address via the ACL rule, and the ICMP parameter problem error message from query IP address to the Internet is allowed to be sent. We may have several reasons and cannot receive an error message returned from the target IP address: The filter device confirms that the "Total Length" field value does not match the actual number of bytes of the received packet; the filter is being filtered. ICMP packet type; filter device blocking ICMP parameter problem error packet from the protection network to the target Internet. 4.1.1.2 ACL Detection - An example of using TCP / UDP as a priority agreement
When the in-depth protocol in Offering is UDP or TCP, we will use all possible IP addresses and TCP / UDP port to query the target network. If we receive a reply from an IP address from the target network IP range, it will indicate that we have a host on the Internet, the port used with TCP / UDP protocol (this port is used as a detection) ), Go deep into the OFFENDING packet (we have to return in ICMP error packet), which will point out that the port used by the TCP / UDP protocol is allowed to pass the ACL rule and from the query IP address to ICMP parameter problem error message is allowed to be sent. We may have several reasons and cannot receive an error message returned from the target IP address. The filter device confirms that the "Total Length" field value does not match the actual number of bytes of the received packet; the filter is filtered by the type of ICMP packets we use; filtering device blocks ICMP parameter problem error packet from the protection network to the target Transfer of the Internet.
In this case, the filtering device may be blocking a special host, the host being probing the outgoing ICMP parameter issues.
Computational Measurement: Blocking ICMP parameter problem error packets, which comes from the target host of the Internet firewall and the router boundary. Check your filter equipment, and its field is in processing the datagram, whether the IP header is really valid.
4.2 IP portable field values
The following host detection method is based on some of the damaged IP header value, and the incoming value will raise the ICMP destination file to return from the detected IP address.
A type of error message. This is simple because the values we have to use cannot be used on the target host.
What field can you use this method?
The port is non-active. At this time, the destination host passes a message that cannot reach the destination.
4.2.1.1 Example 33 of the protocol field
4.2.1.1 Use the value of the unused protocol
If we use a value, this value cannot draw the valid protocol fields used on the target machine, and the target machine will find an ICMP destination file, which cannot reach the protocol error message will return to us.
33 Record some hosts, which may not send an error message that ICMP protocols are not reached.
This is a target network within the IP address by sending a process of sending a process.