ICMP vulnerability analysis

The structure of ICMP in IP is like this. Version 4 IHL Internet Headr Length in 32-Bits Type of Service 0 Total Length Length Of Internet Header and Data IN byte unit Identification, Flags Split and recombinant IP tags. Time to Live TTL This is important, indicating that this IP package is ICMP information. ICMP = 1 source address sends this packet's original host IP address or router address. (In sending ICMP packets can be any router) Destination Address Preparation Accepting this IP address of this ICMP package. ____________________________________________________________________________________________________________________________________________________________________ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Internet Header 64 bits of Original Data Datagram - - - - - - - - - - - - - - - - - - - - - - - - - 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - - - - - - - - - type Code checksum - - - - - - - - - - - - - -

- - - - - - - - - - - - reserved words - - - - - - - - - - - - - - - - - - - - - - - - ip head and 64 original IP data is both Originally sending normal IP bags wrong data - - - - - - - - - - - - - - - - - - - - - - - - in the IP section, the destination IP is to send an error packet the IP address in the ICMP segment in type 3 code is 0. = The network is not reached. 1 = The host is not reachable. 2 = The protocol is not reachable. 3 = Port is not reachable. 4 = Pack needs to be reorganized. 5 = The original routing failed. Check and checksum is 0, internet header 64 bits of The top 64 bits of the Data DataGram protocol head and the original data. If the original protocol is a high-level agreement, then this is the data of the top 64 high-level protocols. Description .... If the routing table is based on the route table, the purpose in a packet The network is not reached, for example: destination network is unlimited, then the route sends a destination of a dedicated message to the sender of this package. In some routes, it is possible to judge that the host is not possible to arrive, return to send back The host is not reached. If the IP module cannot pass the data to the upper layer or protocol in the destination host, (because the port is not activated, or the high-level protocol does not exist at all), then the destination host will send the destination of the purpose. Another situation is that when the data report must be divided to pass a network management, it is not to be divided in the IP package. At this time, the gateway is transmitted to send the purpose of information. Code 0.1. 4, 5 ICMP is generally Routing. Code 2 3 comes from the host. (CCEYE Review: In this package, because 0, 1, 4, 5 code may be word any route, so you can send ICMP packets, at this time Bakers are routers. There is a difficult difficulty is the purpose of the purpose of the ICMP package requiring the top 64 bits of the original data. But you can assume, for example: Host A ------- Host B and you are Host C, you can imagine A If you have some basic requirements, you can guess his raw data. One is DNS, if DNS is Host D, and we know that A must have access to DNS to access other hosts. And A is often Access a K domain, so as long as you continue to send the host's ICMP information that is not arriving, and bring the information of the K domain name query DNS. May be successful. You can fake IP in the local area network. At this time, you can fake the host IP address and guess which high-level protocol may access the host. At this time, you can send a protocol or port to all hosts, if technologies able to reach scan all packets on the LAN, then if they find there is access to the victim host of the bag, followed by sending ICMP port unreachable. so that other hosts can not access the host) ____________________________________________________________ Time Exceeded Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - -

- - - - - - - - - - - - - - - - Type Code Checksum - - - - - - - - - - - - - Unused - - - - - - - - - - - - - Internet Header 64 Bits of Original Data DataGRam - - - - - - - - - - - - - - - - - - - - - - - - - - - timeouts 0,123,012. 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - type Code checksum - - - - - - - - - - - - - reserved words - - - - - - - - - - - - - - - - - - - - - - - - - ip head and 64-bit original IP data is both originally transmitted to ordinary IP packages - - - - - - - - - in the IP segment, the destination IP is the IP address of the error package. In the ICMP segment, the type is 11 code 0 =

At the end of the TTL life. 1 = Split restructuring time timeout. Check and checksum is 0, the Internet header 64 Bits of Data DataGram protocol head and the original data. If the original protocol is a high-level agreement, then this is Data of the top 64 high-level protocols. Description. When a routing handles an IP package, it is found that its TTL has been 0, and the route is responsible for destruction of this data, no more forward. And will notify the original host. When a host is reorganized When divided by IP, no task is accepted within the system within the system, and this group is destroyed and the original host will be destroyed. If the group is set to 0, (there is no grouping, then there is no need to set up Timeout limit) Code 1 will come from a host, code 0 will come from a routing. (CCEYE analysis: This difficulties are the same as the previous one, it is to know the data sent by the original host. Causes the host's reaction, because the routing table The reason, it is very difficult to fake IP in the small network and network branch. ((Can be fake, but the static configuration router)) can only pretend to be routing, return to this ICMP package, the original host is constantly trying to increase TTL. Continuously resend the same package. Key to the first step with your host and his destination host, will make the victim host can not access the outside world) __________________________________________- parameter Problem Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - TYPE CODE CHECKSUM - - - - - - - - - - - - - - - - - - - - - - - - - - POINTER UNUSED - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - parameter error information . 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - -

- - - - - - - - - - - Type Code Checksum - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Pointer unused - - - - - - - - - - - - - - - - - - - Internet Header 64 Bits of Original Data DataGram - - - - - - - - - - - - - - - - - - - - - - - - - in the IP segment, the purpose IP is the IP address of the error package. In the ICMP segment Type 12 Code 0 = Pointer indicates an error. Check and 0 pointers If code is 0, indicate an error-incorrect byte. Internet Header 64 Bits of Data DataGram protocol head and the original data. If the original The protocol is a high-level agreement, then this is the data of the top 64-bit high-level protocol. Description, if a host or route discovers an error while transmitting a data report, the host must destroy this package and give the original host an ICMP information. Code 0 can The host or routing is issued. (CCEYE Review: The same effect is obtained as the above method, but you need to calculate more.) ________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - - - - - - - - - Type Code Checksum - - - - - - - - - - - - - Unused - - - - - - - - - - - -

- - - - - - - - - - - Internet Header 64 bits of Original Data Datagram - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - . 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - TYPE CODE CHECKSUM - - - - - - - - - - - 10 - - - - - - - - - - - - - - - - - - Internet Header 64 bits of Original Data Datagram - - - - - - - - - - - in the IP segment, the destination IP is the IP address of the error package. In the ICMP segment type 4 code 0 checksum is 0 Internet Header 64 Bits of Data DataGram protocol header and The top 64 bits of the original data. If the original protocol is a high-level agreement, this is the data of the top 64-bit high-level protocol. Description: When a route or host's internal queue has been given to the data reported, it cannot be processed, Will automatically destroy new datagram, and tell the original host data is too fast, ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---- (cceye: This ICMP package will get the speed of the original host to send the package is slower and slower. Method is the same as above) ___________________________________________________________ _ rcc 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - -

- - - - - - - - - - - - - - - - - - - - - - Type Code Checksum - - - - - - - - - - - - - Gateway Internet Address - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Internet Header 64 bits of Original Data Datagram - - - - - - - - - - - - - redirection information. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - - - - - - - - - TYPE CODE CHECKSUM - - - - - - - - - - - - - - - - - - - - - - - - - - - Internet Header 64 BITS ORIGINAL DATA DATAGRAM - - - - - - - - - - -

- - - - - in the IP segment, the destination IP is the IP address of the error package. In the ICMP segment type 5 code 0 = redirect network. 1 = Offer the host 2 = Redirection Service Type and Network 3 = Redirection Service Type and Host Check and Host The Routing Address of 0 Gateway Internet Address Original Packets. Internet Header 64 Bits of Data DataGram Internet Header 64 BITS OF The Data DataGram protocol head and the top 64 bits of the original data. If the original protocol is a high-level protocol, then this is the data of the top 64-bit high-level protocol. Description: A routing is sent to a redirect message to a host in the following environment. One Routing, G1 gets a datagram from a host belonging to his network. G1 checks his routing table and get the next route address, G2 is a route connected to the destination network. If G1 is found, G2 is directly connected. The network of the original host belonging to this packet. G1 will send a redirection information to the original host. Tell him that there is a better route to the network. Route simultaneously delivers the data report to the destination network. For There is a datagram in the IP option, and the route will not be redirected to ICMP Even if there is a better route. Code 0.1, 2, all from the same router (cceye: comment. Using this option to make the host full with the outside Contact; ________________________________________________________________________________________________________________________ echo or echo reply message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - - - - - - - - - TYPE CODE CHECKSUM - - - - - - - - - - - - - - - - - - - - - - Identifier Sequence Number - - - - - - - - - - - - - - - - - - DATA ... - - -

- Echo response information. IP address, the IP address of the destination host, in order to respond to an echo, simply convert the destination address and the original address, turn the type to 0, and retest the you can. Type 8 Send echo request. 0 response Echo. Code 0 checksum. Identifier If the code is 0, a tribe will respond. You can be 0. Sequence Number If the code is 0, a serial number will help the corresponding echo response. Can be 0. Description: The data taken in the echo request must be refined back. The flag and serial number are used to help echo requestors to detect echo requests. The responder must return the same value. The code 0 can be sent by a host or routing. _______________________________- ICMP There is a function of broadcasting routing. You can be sure, a private host will not connect to the DNS server in a network. Plan: 1, counterfeit route, tell the host DNS server is not reachable. Need, a route, a DNS server. Two network segments Host A ---- Routing ------- DNS server ________ - The host of the attack is launched. Destination The contact efficiency between the servers is reduced by 3/4. 2, counterfeit routes, tell the host TTL timeout. Need, a routing, a DNS server. Two network segments. Harm host a ---- routing ------- DNS server ________- Most launched the attack. Destination, after receiving my error ICMP, it also responds to DNS. 3, counterfeit routing tells the host's original data loss. Need, a route, a DNS server. Two Net segment. Hosting host a ---- Route ------- DNS server ________- The host of the attack. Destination, after seeing my error ICMP, it also responds to DNS. 4, counterfeit Routing, tell the host has a better route. Need, a routing, a DNS server. Two network segments. Victims a ---- Routing ------ DNS server _________ - Master launched the attack. After receiving the ICMP error message, the host can also access DNS. Result: Strangely the router is in a state of almost crafted. (32M 133MHz RedHat 6.1 router). It seems that the malicious datagram is routing, but due to algorithm , Or the cause of the machine, cause too slow. _____________________ Fake routing, the following is fake hosts within the LAN. Plan 1, in order to tell all fake host host port unreachable. Need, a victim host, to run a proxy server. __________________ ABCD victim host a LAN attacker to see whether the internal LAN hosts also Access the victim host. 2, check the host, tell all the host packet timeout. Need, a victim host, run a proxy server. A LAN victim host ____________________________________________________________ experiment Record: WIN95 97 98 NT IP serial number starts from 0, starting from beginning to 65535, interval 256. Linux's IP serial number is intervals at 1. Each TCP connection is continuous in a case where it cannot be received. Generate 4 trial connections. Now the experiment sees whether the serial number in the four connected TCP here is the same. Result: TCP is the same. If the serial number is different. If the IP does not tell the upper layer without telling the upper layer If the IP will request the upper layer from sending after receiving the ICMP report. In addition, it is necessary to see IP after receiving ICMP from sending, or before. Result: It seems IP and ICMP Not very friendly. Because there is no further writing protocol analyzer, there is no knowledge, and the death test is coming again. Dear, the original code here. The original program is plan 3, or plan 1, can't remember (Sorry, we must know that I have to remind my friends even the phone. Otherwise, the old code is a girlfriend :) Basically the original code is made up by the ping.c sample program in MSDN and ipman.c. Here Thanks to Micro and Hihint, although there are no meetings, the heart is long: 0 code ideas are like this: