Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected networks. The network connecting devices are called Gateways. These gateways communicate between themselves for control purposes via a Gateway to Gateway Protocol (GGP). Occasionally a gateway or destination host will communicate with a source host, for example, to report an error in datagram processing. For such purposes this protocol, the Internet Control Message Protocol (ICMP), is used. ICMP, uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module.
Use Cases ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route.
Purpose The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. There are still no guarantees that a datagram will be delivered or a control message will be returned. Some datagrams may still be undelivered without any report of their loss. The higher level protocols that use IP must implement their own reliability procedures if reliable communication is required.
Loops someone? The ICMP messages typically report errors in the processing of datagrams. To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages.
ICMP message format 4 byte header: • Type (1 byte): type of ICMP message • Code (1 byte): subtype of ICMP message • Checksum (2 bytes): similar to IP header checksum. Checksum is calculated over entire ICMP message If there is no additional data, there are 4 bytes set to zero. each ICMP messages is at least 8 bytes long
ICMP message format ICMP messages are sent using the basic IP header. The first octet of the data portion of the datagram is a ICMP type field; the value of this field determines the format of the remaining data. Any field labeled "unused" is reserved for later extensions and must be zero when sent, but receivers should not use these fields (except to include them in the checksum).
Values of the internet header fields • Version - 4 • IHL - Internet header length in 32-bit words. • Type of Service - 0 • Total Length - Length of internet header and data . • Identification, Flags, Fragment Offset • TTL - the value in this field should be at least as great as the number of gateways which this datagram will traverse. • Protocol - ICMP = 1 • Header Checksum – 16 bit complement to one… • Source Address -The address that compose the icmp message. Unless otherwise noted, this can be any of a gateway's addresses. • Destination Address - The address to which the message should be sent.
ICMP Query message ICMP query: • Request sent by host to a router or host • Reply sent back to querying host
Example of ICMP Queries Type/Code: Description 8/0 Echo Request 0/0 Echo Reply 13/0 Timestamp Request 14/0 Timestamp Reply 10/0 Router Solicitation 9/0 Router Advertisement The ping command uses Echo Request/ Echo Reply
ICMP Error message • ICMP error messages report error conditions • Typically sent when a datagram is discarded • Error message is often passed from ICMP to the application program
ICMP Error message • ICMP error messages include the complete IP header and the first 8 bytes of the payload (typically: UDP, TCP)
Example: ICMP Port Unreachable • RFC 792: If, in the destination host, the IP module cannot deliver the datagram because the indicated protocol module or process port is not active, the destination host may send a destination unreachable message to the source host. • Scenario: Request a serviceat a port 80 Client Server No process is waiting at port 80 Port Unreachable
ICMP Fingerprinting • ICMP ERROR MESSAGE QUOTING SIZE Each ICMP error message includes the IP header and at least the first eight data bytesof the datagram that triggered the error (the offending datagram); more than eight bytes may be sent according to RFC 1122. Most of the operating systems will quote the offending packet’s IP header and the first eight data bytes of the datagram that triggered the error. Several operating systems and networking devices will echo more than eight data bytes. Examples of operating systems that quote more include: Linux based on kernel 2.0.x/2.2.x/2.4.x, Sun Solaris 2.x, HPUX 1.x,MacOS 7.x–9.x (10.x not checked), Nokia boxes, Foundry Switches (and other OSes and several networking devices).
ICMP Fingerprinting ICMP ERROR MESSAGE ECHOING INTEGRITY When sending back an ICMP error message, some stack implementations may alter the offending packet’s IP header and the underlying protocol’s data, which is echoed back with the ICMP error message. The only two field values we expect to be changed are the IP time-to-live field value and the IP header checksum. The IP time-to-live (TTL) field value changes because the field is decreased by one, each time the IP header is being processed. The IP header checksum is recalculated each time the IP TTL field value is decreased. we can take advantage of ICMP Port Unreachable error messages triggered by UDP datagrams sent to closed UDP ports. By examine several IP header and UDP-related field values of the offending packet being echoed with the ICMP error message, for some types of alternation.
ICMP Fingerprinting • ICMP ERROR MESSAGE ECHOING INTEGRITY • IP TOTAL LENGTH FIELD • IP ID • FRAGMENTATION FLAGS AND OFFSET FIELDS • IP HEADER CHECKSUM • UDP HEADER CHECKSUM • PRECEDENCE BITS ISSUES WITH ICMP ERROR MESSAGES
ICMP Fingerprinting • DF BIT ECHOING WITH ICMP ERROR MESSAGES • Some operating systems set the DF (don’t fragment) bit in error quoting when the DF bit is set with the offending packet. Some OSs will not. • THE IP TIME-TO-LIVE FIELD VALUE WITH ICMP MESSAGES • The sender sets the time-to-live field to a value that represents the maximum time the datagram is allowed to travel on the Internet. In practice, the TTL gets decremented each time a packet passes through a router or IP stack. The TTL field value with ICMP has two separate values, one for ICMP query messages and one for ICMP query replies. The TTL field value helps identify certain operating systems and groups of operating systems. It also provides the simplest means to add another check criterion when we are querying other hosts or listening to traffic (sniffing).
ICMP Fingerprinting • USING CODE FIELD VALUES DIFFERENT FROM ZERO WITH ICMP ECHO REQUESTS • When an ICMP code field value different from zero is sent with an ICMP Echo Request message (type 8), operating systems that answer the query with an ICMP Echo Reply message based on one of the Microsoft-based operating systems send back an ICMP code field value of zero with their ICMP Echo Reply. Other operating systems (and networking devices) echo back the ICMP code field value that was used with the ICMP Echo Request.
ICMP Fingerprinting • TOS ECHOING • RFC 1349 defines the use of the type-of-service field with ICMP messages. It distinguishes between ICMP error messages (Destination Unreachable, Source Quench, Redirect, Time Exceeded, and Parameter Problem), query messages (Echo, Router, Solicitation, Timestamp, Information Request, Address Mask Request), and reply messages (Echo Reply, Router Advertisement, Timestamp Reply, Information Reply, Address Mask Reply). Simple rules are defined: an ICMP error message is always sent with the default TOS (0x0000). An ICMP request message may be sent with any value in the TOS field. A mechanism to allow the user to specify the TOS value to be used would be a useful feature in many applications that generate ICMP request messages. The RFC further specifies that although ICMP request messages are normally sent with the default TOS, there are sometimes good reasons why they would be sent with some other TOS value. An ICMP reply message is sent with the same value in the TOS field as was used in the corresponding ICMP request message. Some operating systems will ignore RFC 1349 when sending ICMP Echo Reply messages and will not send the same value in the TOS field as was used in the corresponding ICMP request message.
References • http://www.ietf.org/rfc/rfc0792.txt?number=792 • http://www.phrack.org/show.php?p=57&a=7 • http://www.sys-security.com/archive/articles/login.pdf