ICMP packet format
ICMP messages are transmitted within packets, as shown below.
Below shows the format of an ICMP message. There are different values for the type field, which identify the ICMP message. So a type of ICMP message will use different values of the code field to specify the condition. If you look at RFC you will get to know the different types and their descriptions. The first two columns will determine whether the ICMP is a query message or an error message. We need to know this as we will particularly deal with ICMP error messages.
ICMP error messages are not sent in response to an ICMP error. When an ICMP error is sent, it always sends the IP header and the datagram that caused the error. So the receiving unit gets to associate the error with the process. So in fact when a type 0 (echo reply) is sent, the reply will no longer be a Type 8 (echo request). The last field talks about the Checksum, which is used to check errors while transmitting data and is calculated from the ICMP header and data. Before an ICMP message is transmitted, the checksum is computed and is inserted into the field. So at the receiving end, the checksum is calculated again and verified against the checksum field. If any mismatch is found, then it confirms that an error or change has occurred. There are 15 different types of ICMP messages and some are categorized as error reporting and query. A few popular ICMP messages:
ICMP Attack Types
ICMP Tunnelling ICMP tunnels are one form of a covert channel that is created wherein the information flow is not controlled by any security mechanism. An ICMP tunnel establishes a channel between the client and server, forcing a firewall not to trigger an alarm if data are sent via ICMP. ICMP tunneling is a covert connection between two endpoints using ICMP echo requests and reply packets. So by using ICMP tunneling, one can inject arbitrary data into an echo packet and send it to a remote computer. The remote computer injects an answer into another ICMP packet and sends it back. This type of communication traffic remains undetectable for a proxy-based firewall, as they are more focused on the source and destination IP addresses. These mechanisms can be used to bypass firewalls’ rules through obfuscation of the actual traffic. Application-based firewalls are only capable of detecting such a type of traffic, as they do a deep packet inspection on the entire packet. So the network administrator or security administrators will not be able to detect such encrypted communication unless a deep packet inspection is carried out. Now let’s showcase this scenario by using the Hping tool. Hping is a packet crafter tool used to conduct a test or attack on a device. For a normal ping message that we send using a command prompt, it sends four packets of data. So if we want to send a particular ICMP request with a particular type or code set then we can use Hping (we can do this in cmd prompt also, but changing code and type of ICMP in cmd is not possible). Now I am going to send data, “sending packets via tunneling”, via ping message, by typing the below command.
If we sniff the destination then we can see the entire data as well.
In a normal ICMP echo request, the packet length will be 42 bytes, where the data length is 0, and if we append any data into the ICMP data field then the size of the packet increases. In the above scenario, the total size is 72 bytes out of which 30 bytes is the data “sending packets via tunneling”. So if we want to detect ICMP tunneling via any IDS/IPS devices we need to write a rule stating that if any data is present in the data header of the ICMP, then fire an alert. The most common ICMP tunneling program is LOKI. It uses the ICMP echo-response packet to carry its payload. By using LOKI, one can transmit data secretly by hiding the traffic so networking devices cannot detect the transmission. It can also be used to set a backdoor into a target system and execute commands on the machine with admin privileges, as well as leak information and start/stop critical services without users’ knowledge. Organizations have adopted many ways to prevent ICMP tunneling, like blocking all ICMP traffic, limiting the size of ICMP packets, etc. However, some methods listed above are not realistic for the real-world environment. The use of IDS/IPS is an effective method and many IPS/IDS devices have a signature to detect the presence of LOKI. Smurf Attack As we discussed earlier, whenever a type 8 is sent, a type 0 is sent back, or an ICMP echo reply is sent whenever an echo request is sent. In a smurf attack, an attacker will spoof the source address of the ICMP packet and send a broadcast to all computers on that network. If networking devices do not filter this traffic, then they will be broadcasted to all computers in the network. The victim’s network gets congested by this much traffic, which brings down the productivity of the entire network. Countermeasures for Smurf Attack
Put filters on routers and firewalls to counteract address spoofing. An IP address should be assigned to a LAN segment, and if the IP address of the source machine is not in the range of IP address that is assigned to the segment, then the traffic should be dropped. Put filters on L3 devices to not reply to broadcast addresses.
Fraggle Attack Fraggle attack is same as a Smurf attack but rather than ICMP, UDP protocol is used. The prevention of these attacks is almost identical to Fraggle attack. Information Gathering Under the information gathering attack, one can use different methods within the ICMP to find out live host, network topology, OS fingerprinting, ACL detection, and so on. A classic way to discover hosts on the network is to send an ICMP echo request (type 8) which should prompt target hosts to respond with ICMP echo reply messages. Trace Route Now let’s see how traceroute can be used to determine the network topology. The traceroute command is used to discover the routes that packets actually take when traveling to their destination. Windows uses ICMP traceroutes, while Linux-based systems use a UDP traceroute. So when running a traceroute from a Windows computer, three ICMP echo messages with TTL set to 1 are sent out to the destination IP addresses. The response of the ping will be an ICMP Time Exceeded message (this means the host responding is not the destination) or an ICMP Destination Unreachable (this means the host responding doesn’t know how to get to the destination IP address in the traceroute packets). When the ICMP reaches one hop, the TTL value is decremented by one, so when the TTL value becomes zero, an ICMP type 11 message is sent back to the origin point. In the next phase, the TTL value is incremented by one and the above process is repeated until it finds the correct destination address specified in the traceroute command. So this activity will record the source of each ICMP Time Exceeded Message to provide a trace of the path the packet took to reach the destination. Port Scan ICMP Error Messages (Protocol/Port Unreachable) can be used to find out the open ports to an IP address or a LAN segment. Different types of scanners are available in the market that use ICMP to check whether a port is open or not. Usually, ICMP packets are sent without any payload to each specified protocol on the target machine. If an ICMP Protocol Unreachable error message is received, it means the protocol is not used. OS fingerprinting Fingerprinting is a technique to find out what kind of OS the server is running by looking at the response of the ICMP packet. Now two important concepts to remember via OS fingerprinting are if the ICMP reply contains a TTL value of 128 then it is a Windows machine, and if the ICMP reply contains a TTL value of 64 then it is a Linux-based machine.
Now in the above diagram, we can confirm that 192.168.10.2 is a Linux-based system and 192.168.10.3 is a Windows-based system by looking at the TTL value. The method of fingerprinting is different for each Windows and Linux family. Let’s dive deeper into the above scenario. Right now we have identified the target as the Windows machine, now we are looking to find out the versions of the Windows machine. In order to double-check the above activity, we can also send ICMP packets by setting the code field, and by looking at the ICMP reply of the code field we can confirm the target as a Linux or Windows machine. So let’s send an ICMP message where the code field equals 77. If we get a response from the target with a code field = 0, then the target Is a Windows family, and if we get a response with the code field not equal to 0, then it is a Linux family.
Below we see that the code for echo reply is 0, so the target is confirmed as Windows.
Now let’s send a Timestamp request to the target server to rule out Windows 95 and Windows NT. If we get no reply then it means the target is Windows server or Windows NT, and if we get a reply it means the target machine is Windows 98, Windows 2000 or Windows ME.
If we dive in deeper then we can get to know the exact output. But ICMP is not feasible to use as an OS fingerprinting method. An effective fingerprinting can be done via SYN. ICMP Router Discovery The ICMP router discovery protocol will discover the IP address of the neighboring routers. The ICMP router discovery messages are called “Router Advertisements” or “Router Solicitations”. The router discovery message is not a routing protocol. It enables hosts to discover the existence of neighbouring routers, but not which router is best to reach a particular destination. Router advertisement is an ICMP message (type 9, code 0) with an advertisement lifetime. The main challenge for ICMP router discovery protocol is it doesn’t have any forms of authentication, so it is impossible for end hosts to tell whether or not the information they receive is valid or not. Due to the above issue, an attacker can perform a man-in-the-middle attack wherein an attacker will act as a middle man for all the communication from the source to the endpoint. Attackers can also spoof ICMP router discovery messages and remotely add bad route entries into a victim’s routing table. So the victim’s system would be forwarding the frames to the wrong address, and it would be unable to reach other networks. Such types of attacks can lead to a Denial of Service attack and can become quite severe. A countermeasure that is used to prevent ICMP route discovery is to use digital signatures and to block all type 9 and type 10 ICMP packets. Teardrop When a teardrop attack is carried out on a machine, it will crash or reboot. Eventually, it is a sort of DOS attack that an attacker does using ICMP packets. Teardrop attacks exploit the overlapping IP fragments present in machines. IP packets are broken up into smaller fragments, with each fragment having the original IP packet’s header, and field that tells the TCP/IP stack what bytes it contains. The packet is fragmented and is sent from the source to the destination. In the destination point, the fragments need to be put back together again. What happens with teardrop though is that the IP fragments will have overlapping fields. When the destination tries to reassemble them, it cannot do it, and if it does not know to combine these packet fragments out, it can quickly fail. This type of attack is more common on the Internet, and precautions need to be taken to counteract such attacks.
Sources
Exploit-db Security focus advisories Sans security resources