盒子
盒子
文章目录
  1. ping和traceroute
  2. ping扫射和广播ICMP
  3. ICMP Timestamp query
  4. ICMP address netmask request
  5. ICMP Parameter Problem Error messages
  6. ICMP Ip Reassembly Time Exceeded
  7. UDP扫描
  8. 分片与MTU
  9. Inverse Mapping
  10. ICMP与操作系统探测
  11. ICMP source quench
  12. ICMP 重定向

Playing and Learning ICMP in Action

ICMP协议是IP协议的一部分,虽然它的包被封装在IP包内,好像是IP上层的协议,但它确实是IP协议不可分割的一部分。ICMP协议非常复杂,它用来提供有关网络的消息。

ICMP通常被用来侦查网络。各种ICMP报文甚至可能绕过防火墙探查内网,探测访问控制列表等。

ICMP有时也会被利用来做路由重定向和DDOS等其它用途。

ping和traceroute

ping可以用来判断一个ip地址(当提供域名时一般会解析成ip)对应的机器是否在线。

traceroute则为了探测一个包到目的地所经过的路由。

ping利用了ICMP echo requestICMP echo reply。而traceroute则利用了ICMP time-exceeded error message

我们可以先pingtraceroute来实际看下,

 ~ ⮀ ping -c 1 baidu.com
PING baidu.com (220.181.111.86) 56(84) bytes of data.
64 bytes from 220.181.111.86: icmp_seq=1 ttl=50 time=2.07 ms

--- baidu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.070/2.070/2.070/0.000 ms

 ~ ⮀ sudo tcpdump -X "icmp" 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:16:47.917236 IP 10.210.96.200 > 220.181.111.86: ICMP echo request, id 9095, seq 1, length 64
18:16:47.919293 IP 220.181.111.86 > 10.210.96.200: ICMP echo reply, id 9095, seq 1, length 64

如果用wireshark就能看得更加清楚了,懒得截图。

我们接着看看traceroute是什么样的。

 ~ ⮀ traceroute bbs.byr.cn
traceroute to bbs.byr.cn (10.3.18.66), 30 hops max, 60 byte packets
 1  10.210.96.193 (10.210.96.193)  3.360 ms  3.637 ms  3.919 ms
 2  10.2.100.1 (10.2.100.1)  1.511 ms  1.657 ms  1.825 ms
 3  10.2.1.1 (10.2.1.1)  1.834 ms  2.422 ms  2.809 ms
 4  10.0.10.1 (10.0.10.1)  0.512 ms  0.524 ms  0.531 ms
 5  10.0.13.2 (10.0.13.2)  1.719 ms  2.021 ms  2.139 ms
 6  10.3.18.66 (10.3.18.66)  0.946 ms  0.493 ms  0.483 ms

 ~ ⮀ sudo tcpdump -i eth0 "not udp and not arp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:36:21.471441 IP 10.2.100.1 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.471566 IP 10.2.100.1 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.472026 IP 10.0.10.1 > 10.210.96.200: ICMP time exceeded in-transit, length 36
23:36:21.472089 IP 10.0.10.1 > 10.210.96.200: ICMP time exceeded in-transit, length 36
23:36:21.472106 IP 10.0.10.1 > 10.210.96.200: ICMP time exceeded in-transit, length 36
23:36:21.472113 IP 10.2.100.1 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.472120 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 udp port 33449 unreachable, length 68
23:36:21.472207 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 udp port 33450 unreachable, length 68
23:36:21.472218 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 udp port 33451 unreachable, length 68
23:36:21.472227 IP 10.2.1.1 > 10.210.96.200: ICMP time exceeded in-transit, length 36
23:36:21.472536 IP 10.210.96.193 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.472756 IP 10.2.1.1 > 10.210.96.200: ICMP time exceeded in-transit, length 36
23:36:21.472765 IP 10.210.96.193 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.473175 IP 10.210.96.193 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.473192 IP 10.2.1.1 > 10.210.96.200: ICMP time exceeded in-transit, length 36
23:36:21.473196 IP 10.0.13.2 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.473442 IP 10.0.13.2 > 10.210.96.200: ICMP time exceeded in-transit, length 68
23:36:21.473603 IP 10.0.13.2 > 10.210.96.200: ICMP time exceeded in-transit, length 68

可以用wireshark更详细的检查。

我们接着看看其它东西。

ping扫射和广播ICMP

ping扫射会ping 一个网段内所有的主机,判断ip所对应的主机是否在线。速度非常快

先试着一个ping sweep,在LAN下nmap如果不明确禁止,一定会使用arp来ping,所以要看看ICMP如何完成ping就禁用它, 然后抓包。

 ~ ⮀ sudo nmap -sP --disable-arp 10.210.96.0/27

Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-21 19:29 CST
Nmap scan report for 10.210.96.1
Host is up (0.0014s latency).
Nmap scan report for 10.210.96.13
Host is up (0.0023s latency).
Nmap done: 32 IP addresses (2 hosts up) scanned in 1.97 seconds

 ~ ⮀ sudo tcpdump "icmp"
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
 19:29:07.205871 IP 10.210.96.200 > 10.210.96.1: ICMP echo request, id 15450, seq 0, length 8
 19:29:07.205895 IP 10.210.96.200 > 10.210.96.2: ICMP echo request, id 39828, seq 0, length 8
 19:29:07.205901 IP 10.210.96.200 > 10.210.96.3: ICMP echo request, id 26191, seq 0, length 8
 19:29:07.205907 IP 10.210.96.200 > 10.210.96.4: ICMP echo request, id 27927, seq 0, length 8
 19:29:07.205911 IP 10.210.96.200 > 10.210.96.5: ICMP echo request, id 40326, seq 0, length 8
 19:29:07.205917 IP 10.210.96.200 > 10.210.96.6: ICMP echo request, id 20451, seq 0, length 8
 19:29:07.205923 IP 10.210.96.200 > 10.210.96.7: ICMP echo request, id 54339, seq 0, length 8
 19:29:07.205930 IP 10.210.96.200 > 10.210.96.8: ICMP echo request, id 662, seq 0, length 8
 19:29:07.205934 IP 10.210.96.200 > 10.210.96.9: ICMP echo request, id 44505, seq 0, length 8
 19:29:07.205940 IP 10.210.96.200 > 10.210.96.10: ICMP echo request, id 53250, seq 0, length 8
 19:29:07.207182 IP 10.210.96.1 > 10.210.96.200: ICMP echo reply, id 15450, seq 0, length 8
 19:29:07.207295 IP 10.210.96.200 > 10.210.96.13: ICMP echo request, id 2073, seq 0, length 8
 19:29:07.207305 IP 10.210.96.200 > 10.210.96.14: ICMP echo request, id 4397, seq 0, length 8
 19:29:07.209792 IP 10.210.96.13 > 10.210.96.200: ICMP echo reply, id 2073, seq 0, length 8
 19:29:07.209912 IP 10.210.96.200 > 10.210.96.17: ICMP echo request, id 19920, seq 0, length 8
 19:29:07.209922 IP 10.210.96.200 > 10.210.96.18: ICMP echo request, id 34999, seq 0, length 8
 19:29:07.306658 IP 10.210.96.200 > 10.210.96.21: ICMP echo request, id 29270, seq 0, length 8
 19:29:07.306681 IP 10.210.96.200 > 10.210.96.22: ICMP echo request, id 7671, seq 0, length 8
 19:29:07.306689 IP 10.210.96.200 > 10.210.96.23: ICMP echo request, id 9104, seq 0, length 8
 19:29:07.306696 IP 10.210.96.200 > 10.210.96.24: ICMP echo request, id 81, seq 0, length 8
 19:29:07.306704 IP 10.210.96.200 > 10.210.96.25: ICMP echo request, id 32155, seq 0, length 8
 19:29:07.306712 IP 10.210.96.200 > 10.210.96.26: ICMP echo request, id 63858, seq 0, length 8
 19:29:07.306720 IP 10.210.96.200 > 10.210.96.27: ICMP echo request, id 26777, seq 0, length 8
 19:29:07.306727 IP 10.210.96.200 > 10.210.96.28: ICMP echo request, id 13494, seq 0, length 8
 19:29:07.306733 IP 10.210.96.200 > 10.210.96.29: ICMP echo request, id 44984, seq 0, length 8
 19:29:07.308869 IP 10.210.96.200 > 10.210.96.0: ICMP echo request, id 17227, seq 0, length 8
 19:29:07.310989 IP 10.210.96.200 > 10.210.96.11: ICMP echo request, id 34317, seq 0, length 8
 19:29:07.311005 IP 10.210.96.200 > 10.210.96.12: ICMP echo request, id 61365, seq 0, length 8
 19:29:07.406811 IP 10.210.96.200 > 10.210.96.16: ICMP echo request, id 55350, seq 0, length 8
 19:29:07.406822 IP 10.210.96.200 > 10.210.96.19: ICMP echo request, id 35677, seq 0, length 8
 19:29:07.406828 IP 10.210.96.200 > 10.210.96.20: ICMP echo request, id 65464, seq 0, length 8
 19:29:07.406835 IP 10.210.96.200 > 10.210.96.30: ICMP echo request, id 15331, seq 0, length 8
 19:29:07.406840 IP 10.210.96.200 > 10.210.96.31: ICMP echo request, id 29903, seq 0, length 8
 19:29:07.406864 IP 10.210.96.200 > 10.210.96.15: ICMP echo request, id 9883, seq 0, length 8
 19:29:08.307498 IP 10.210.96.200 > 10.210.96.2: ICMP echo request, id 62949, seq 0, length 8
 19:29:08.307516 IP 10.210.96.200 > 10.210.96.3: ICMP echo request, id 12243, seq 0, length 8
 19:29:08.307524 IP 10.210.96.200 > 10.210.96.4: ICMP echo request, id 31452, seq 0, length 8
 19:29:08.307532 IP 10.210.96.200 > 10.210.96.5: ICMP echo request, id 31537, seq 0, length 8
 19:29:08.307540 IP 10.210.96.200 > 10.210.96.6: ICMP echo request, id 54651, seq 0, length 8
 19:29:08.307549 IP 10.210.96.200 > 10.210.96.7: ICMP echo request, id 50610, seq 0, length 8
 19:29:08.307559 IP 10.210.96.200 > 10.210.96.8: ICMP echo request, id 62664, seq 0, length 8
 19:29:08.307569 IP 10.210.96.200 > 10.210.96.9: ICMP echo request, id 13459, seq 0, length 8
 19:29:08.307578 IP 10.210.96.200 > 10.210.96.10: ICMP echo request, id 62077, seq 0, length 8
 19:29:08.407677 IP 10.210.96.200 > 10.210.96.14: ICMP echo request, id 55829, seq 0, length 8
 19:29:08.407686 IP 10.210.96.200 > 10.210.96.17: ICMP echo request, id 53285, seq 0, length 8
 19:29:08.407691 IP 10.210.96.200 > 10.210.96.18: ICMP echo request, id 21378, seq 0, length 8
 19:29:08.407696 IP 10.210.96.200 > 10.210.96.21: ICMP echo request, id 23904, seq 0, length 8
 19:29:08.407701 IP 10.210.96.200 > 10.210.96.22: ICMP echo request, id 64314, seq 0, length 8
 19:29:08.407707 IP 10.210.96.200 > 10.210.96.23: ICMP echo request, id 27486, seq 0, length 8
 19:29:08.407712 IP 10.210.96.200 > 10.210.96.24: ICMP echo request, id 20894, seq 0, length 8
 19:29:08.407717 IP 10.210.96.200 > 10.210.96.25: ICMP echo request, id 32853, seq 0, length 8
 19:29:08.407722 IP 10.210.96.200 > 10.210.96.26: ICMP echo request, id 45739, seq 0, length 8
 19:29:08.507898 IP 10.210.96.200 > 10.210.96.13: ICMP echo request, id 11633, seq 0, length 8
 19:29:08.507952 IP 10.210.96.200 > 10.210.96.0: ICMP echo request, id 11677, seq 0, length 8
 19:29:08.507991 IP 10.210.96.200 > 10.210.96.15: ICMP echo request, id 42356, seq 0, length 8
 19:29:08.507996 IP 10.210.96.200 > 10.210.96.16: ICMP echo request, id 49147, seq 0, length 8
 19:29:08.508006 IP 10.210.96.200 > 10.210.96.20: ICMP echo request, id 57762, seq 0, length 8
 19:29:08.508014 IP 10.210.96.200 > 10.210.96.27: ICMP echo request, id 10613, seq 0, length 8
 19:29:08.508768 IP 10.210.96.13 > 10.210.96.200: ICMP echo reply, id 11633, seq 0, length 8
 19:29:08.508823 IP 10.210.96.200 > 10.210.96.11: ICMP echo request, id 61920, seq 0, length 8
 19:29:08.508830 IP 10.210.96.200 > 10.210.96.12: ICMP echo request, id 46304, seq 0, length 8
 19:29:08.508835 IP 10.210.96.200 > 10.210.96.19: ICMP echo request, id 49607, seq 0, length 8
 19:29:08.508840 IP 10.210.96.200 > 10.210.96.28: ICMP echo request, id 1352, seq 0, length 8
 19:29:08.508844 IP 10.210.96.200 > 10.210.96.29: ICMP echo request, id 46670, seq 0, length 8
 19:29:08.508860 IP 10.210.96.200 > 10.210.96.30: ICMP echo request, id 53472, seq 0, length 8
 19:29:08.508863 IP 10.210.96.200 > 10.210.96.31: ICMP echo request, id 58278, seq 0, length 8
 19:29:08.508985 IP 10.210.96.200 > 10.210.96.19: ICMP time stamp query id 26454 seq 0, length 20
 19:29:08.511101 IP 10.210.96.200 > 10.210.96.30: ICMP time stamp query id 49439 seq 0, length 20
 19:29:08.511108 IP 10.210.96.200 > 10.210.96.31: ICMP time stamp query id 20408 seq 0, length 20
 19:29:08.511113 IP 10.210.96.200 > 10.210.96.0: ICMP time stamp query id 47435 seq 0, length 20
 19:29:08.511132 IP 10.210.96.200 > 10.210.96.5: ICMP time stamp query id 44739 seq 0, length 20
 19:29:08.511138 IP 10.210.96.200 > 10.210.96.6: ICMP time stamp query id 62544 seq 0, length 20
 19:29:08.511142 IP 10.210.96.200 > 10.210.96.7: ICMP time stamp query id 60818 seq 0, length 20
 19:29:08.511153 IP 10.210.96.200 > 10.210.96.11: ICMP time stamp query id 8734 seq 0, length 20
 19:29:08.511157 IP 10.210.96.200 > 10.210.96.12: ICMP time stamp query id 42535 seq 0, length 20
 19:29:08.608151 IP 10.210.96.200 > 10.210.96.17: ICMP time stamp query id 4191 seq 0, length 20
 19:29:08.608157 IP 10.210.96.200 > 10.210.96.18: ICMP time stamp query id 60313 seq 0, length 20
 19:29:08.608161 IP 10.210.96.200 > 10.210.96.20: ICMP time stamp query id 30447 seq 0, length 20
 19:29:08.608165 IP 10.210.96.200 > 10.210.96.21: ICMP time stamp query id 34293 seq 0, length 20
 19:29:08.608169 IP 10.210.96.200 > 10.210.96.22: ICMP time stamp query id 45789 seq 0, length 20
 19:29:08.608172 IP 10.210.96.200 > 10.210.96.23: ICMP time stamp query id 20615 seq 0, length 20
 19:29:08.608175 IP 10.210.96.200 > 10.210.96.24: ICMP time stamp query id 39416 seq 0, length 20
 19:29:08.608178 IP 10.210.96.200 > 10.210.96.25: ICMP time stamp query id 43274 seq 0, length 20
 19:29:08.610367 IP 10.210.96.200 > 10.210.96.19: ICMP time stamp query id 37423 seq 0, length 20
 19:29:08.610545 IP 10.210.96.200 > 10.210.96.2: ICMP time stamp query id 8441 seq 0, length 20
 19:29:08.610552 IP 10.210.96.200 > 10.210.96.3: ICMP time stamp query id 3578 seq 0, length 20
 19:29:08.610557 IP 10.210.96.200 > 10.210.96.4: ICMP time stamp query id 3637 seq 0, length 20
 19:29:08.610560 IP 10.210.96.200 > 10.210.96.8: ICMP time stamp query id 21670 seq 0, length 20
 19:29:08.610563 IP 10.210.96.200 > 10.210.96.9: ICMP time stamp query id 59923 seq 0, length 20
 19:29:08.610565 IP 10.210.96.200 > 10.210.96.10: ICMP time stamp query id 44321 seq 0, length 20
 19:29:08.612656 IP 10.210.96.200 > 10.210.96.0: ICMP time stamp query id 2542 seq 0, length 20
 19:29:08.612681 IP 10.210.96.200 > 10.210.96.5: ICMP time stamp query id 52004 seq 0, length 20
 19:29:08.612689 IP 10.210.96.200 > 10.210.96.6: ICMP time stamp query id 50499 seq 0, length 20
 19:29:08.612705 IP 10.210.96.200 > 10.210.96.7: ICMP time stamp query id 49428 seq 0, length 20
 19:29:08.612725 IP 10.210.96.200 > 10.210.96.11: ICMP time stamp query id 36 seq 0, length 20
 19:29:08.612732 IP 10.210.96.200 > 10.210.96.12: ICMP time stamp query id 44368 seq 0, length 20
 19:29:08.612745 IP 10.210.96.200 > 10.210.96.30: ICMP time stamp query id 34029 seq 0, length 20
 19:29:08.612750 IP 10.210.96.200 > 10.210.96.31: ICMP time stamp query id 8416 seq 0, length 20
 19:29:08.708321 IP 10.210.96.200 > 10.210.96.17: ICMP time stamp query id 22579 seq 0, length 20
 19:29:08.708327 IP 10.210.96.200 > 10.210.96.18: ICMP time stamp query id 44220 seq 0, length 20
 19:29:08.708331 IP 10.210.96.200 > 10.210.96.20: ICMP time stamp query id 9032 seq 0, length 20
 19:29:08.708343 IP 10.210.96.200 > 10.210.96.21: ICMP time stamp query id 35831 seq 0, length 20
 19:29:08.708347 IP 10.210.96.200 > 10.210.96.22: ICMP time stamp query id 2301 seq 0, length 20
 19:29:08.708350 IP 10.210.96.200 > 10.210.96.23: ICMP time stamp query id 38652 seq 0, length 20
 19:29:08.708353 IP 10.210.96.200 > 10.210.96.24: ICMP time stamp query id 48909 seq 0, length 20
 19:29:08.708356 IP 10.210.96.200 > 10.210.96.25: ICMP time stamp query id 56868 seq 0, length 20
 19:29:08.710492 IP 10.210.96.200 > 10.210.96.26: ICMP time stamp query id 11131 seq 0, length 20
 19:29:08.710505 IP 10.210.96.200 > 10.210.96.27: ICMP time stamp query id 21052 seq 0, length 20
 19:29:08.710515 IP 10.210.96.200 > 10.210.96.28: ICMP time stamp query id 51363 seq 0, length 20
 19:29:08.710518 IP 10.210.96.200 > 10.210.96.29: ICMP time stamp query id 64922 seq 0, length 20
 19:29:08.710521 IP 10.210.96.200 > 10.210.96.14: ICMP time stamp query id 38360 seq 0, length 20
 19:29:08.710527 IP 10.210.96.200 > 10.210.96.16: ICMP time stamp query id 40280 seq 0, length 20
 19:29:08.710531 IP 10.210.96.200 > 10.210.96.15: ICMP time stamp query id 22775 seq 0, length 20
 19:29:08.712621 IP 10.210.96.200 > 10.210.96.2: ICMP time stamp query id 14586 seq 0, length 20
 19:29:08.712632 IP 10.210.96.200 > 10.210.96.3: ICMP time stamp query id 52979 seq 0, length 20
 19:29:08.712639 IP 10.210.96.200 > 10.210.96.4: ICMP time stamp query id 55009 seq 0, length 20
 19:29:08.712646 IP 10.210.96.200 > 10.210.96.8: ICMP time stamp query id 48655 seq 0, length 20
 19:29:08.712652 IP 10.210.96.200 > 10.210.96.9: ICMP time stamp query id 12270 seq 0, length 20
 19:29:08.712657 IP 10.210.96.200 > 10.210.96.10: ICMP time stamp query id 52019 seq 0, length 20
 19:29:08.811539 IP 10.210.96.200 > 10.210.96.14: ICMP time stamp query id 38654 seq 0, length 20
 19:29:08.811554 IP 10.210.96.200 > 10.210.96.15: ICMP time stamp query id 36060 seq 0, length 20
 19:29:08.811559 IP 10.210.96.200 > 10.210.96.16: ICMP time stamp query id 54453 seq 0, length 20
 19:29:08.811564 IP 10.210.96.200 > 10.210.96.26: ICMP time stamp query id 58198 seq 0, length 20
 19:29:08.811569 IP 10.210.96.200 > 10.210.96.27: ICMP time stamp query id 58807 seq 0, length 20
 19:29:08.811574 IP 10.210.96.200 > 10.210.96.28: ICMP time stamp query id 25994 seq 0, length 20
 19:29:08.811578 IP 10.210.96.200 > 10.210.96.29: ICMP time stamp query id 43528 seq 0, length 20

看样子ping扫射时发了一个ICMP echo request不过瘾,又发了一次ICMP time stamp query

广播ping也可以试着找出局域网内的机器。但通常windows机器都不会响应,安卓也不会响应地址是广播地址的ICMP echo request。

我们还可以看看广播地址的icmp echo request

如果伪造发送者ip,ping广播地址可以是潜在的DDOS。

 ~ ⮀ ping -b 192.168.1.255
WARNING: pinging broadcast address
PING 192.168.1.255 (192.168.1.255) 56(84) bytes of data.
64 bytes from 192.168.1.102: icmp_seq=1 ttl=64 time=83.8 ms
64 bytes from 192.168.1.107: icmp_seq=1 ttl=64 time=87.6 ms (DUP!)

额……发现两个iphone。。。

 ~ ⮀ sudo nmap -sS 192.168.1.102

Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-15 14:34 CST
Nmap scan report for localhost (192.168.1.102)
Host is up (0.0040s latency).
Not shown: 999 closed ports
PORT      STATE SERVICE
62078/tcp open  iphone-sync
MAC Address: F1:DD:08:AF:CB:E9 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 41.44 seconds

 ~ ⮀ sudo nmap -sS 192.168.1.107

Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-15 14:37 CST
Nmap scan report for localhost (192.168.1.107)
Host is up (0.0053s latency).
Not shown: 999 closed ports
PORT      STATE SERVICE
62078/tcp open  iphone-sync
MAC Address: 83:48:4C:DD:5B:96 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 42.11 seconds

但安卓就不对广播ICMP request echo响应了。可以参考著名的ICMP Usage in
Scanning
,很详细的文档,虽然年头早了些。

ICMP Timestamp query

接下来试试timestamp request

 ~ ⮀ sudo nmap -sP -PP --disable-arp-ping bbs.byr.cn

Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-15 14:48 CST
Nmap scan report for bbs.byr.cn (123.127.134.62)
Host is up (0.0044s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

15:02:20.679449 IP 10.109.20.127 > 10.3.18.66: ICMP time stamp query id 6291 seq 0, length 20
15:02:20.682487 IP 10.3.18.66 > 10.109.20.127: ICMP time stamp reply id 6291 seq 0: org 00:00:00.000, recv 07:09:19.107, xmit 07:09:19.107, length 20

不是所有的机器都会响应。

 ~ ⮀ sudo nmap -sP -PP --disable-arp-ping 10.109.20.1

Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-15 15:00 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.20 seconds


15:00:53.309360 IP 10.109.20.127 > 10.109.20.1: ICMP time stamp query id 48585 seq 0, length 20
15:00:54.310449 IP 10.109.20.127 > 10.109.20.1: ICMP time stamp query id 60795 seq 0, length 20

ICMP address netmask request

这是个已经废弃的东西,现在推荐使用dhcp,不过看学校的一些路由器还是支持的

 ~ ⮀ sudo nmap -sP -PM --disable-arp-ping 10.109.20.1

Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-15 14:59 CST
Nmap scan report for 10.109.20.1
Host is up (0.0025s latency).
MAC Address: 00:00:E0:60:00:00 (Hangzhou H3C Technologies Co.)
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds


✘ ⮀ ~ ⮀ sudo tcpdump -i wlan0 "icmp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:59:49.589370 IP 10.109.20.127 > 10.109.20.1: ICMP address mask request, length 12
14:59:49.591828 IP 10.109.20.1 > 10.109.20.127: ICMP address mask is 0xfffffc00, length 12

谁会响应我们的非echo ICMP请求?

  • 监听状态的机器。
  • 实现这个标准的操作系统。
  • 配置为支持这个ICMP请求。
  • 没有被防火墙墙掉。

大多数机器对折中非echo的ICMP请求是没响应的。

~ ⮀ sudo nmap -sP -PM/E/P --disable-arp-ping 10.109.23.255

Starting Nmap 6.25 ( http://nmap.org ) at 2014-03-15 15:07 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.18 seconds

ICMP Parameter Problem Error messages

让目标机器生成ICMP参数错误消息的方法有:

  • 搞乱IP头:
    • 头长度域
    • IP报文option部分
  • 在IP头中使用无效的域值
    • 在IP头中使用有效的域值
  • 滥用分片
  • UDP扫描主机探测方法。

IP中伪造而不会被无声丢弃的域:

  • ihl
  • option
  • proto尝试不使用的

我们先试试改头长度域的:

我们造个ihl有问题的包(ihl的值是32位即一个字的个数):

 ~ ⮀ sudo scapy
Welcome to Scapy (2.2.0)
>>> ip = IP()/ICMP()
>>> ip.dst='10.3.18.66'
>>> ip.ihl=6L
>>> ip.show()
###[ IP ]###
  version= 4
  ihl= 6L
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= None
  src= 10.210.96.200
  dst= 10.3.18.66
  \options\
###[ ICMP ]###
     type= echo-request
     code= 0
     chksum= None
     id= 0x0
     seq= 0x0
>>> send(ip)
.
Sent 1 packets.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:45:29.035948 IP 10.210.96.200 > 10.3.18.66: [|icmp]
14:45:29.039536 IP 10.210.96.193 > 10.210.96.200: ICMP parameter problem - octet 21, length 12

为啥会参数错误,因为解析包的程序会把ICMP报文部分当成options处理。

同样,我们往options部分塞些奇奇怪怪的东西也可以完成同样效果。

 ~ ⮀ sudo scapy
Welcome to Scapy (2.2.0)
>>> ip = IP()/ICMP()
>>> ip.dst='10.3.18.66'
>>> ip.show()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= None
  src= 10.210.96.200
  dst= 10.3.18.66
  \options\
   |###[ IPOption ]###
   |  copy_flag= 1
   |  optclass= control
   |  option= extended_security
   |  length= None
   |  value= ''
###[ ICMP ]###
     type= echo-request
     code= 0
     chksum= None
     id= 0x0
     seq= 0x0
>>> ip.options=IPOption(copy_flag=1,optclass=0,option=5,value='')
>>> send(ip)

大快人心的是途中的路由返回的参数错误

 ~ ⮀ sudo tcpdump -i eth0 "icmp"
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
 15:13:30.787605 IP 10.210.96.200 > 10.3.18.66: ICMP echo request, id 0, seq 0, length 8
 15:13:30.790656 IP 10.0.10.1 > 10.210.96.200: ICMP parameter problem - octet 20, length 40

 ~ ⮀ traceroute 10.3.18.66 
traceroute to 10.3.18.66 (10.3.18.66), 30 hops max, 60 byte packets
 1  10.210.96.193 (10.210.96.193)  2.537 ms  2.798 ms  3.158 ms
 2  10.1.10.1 (10.2.100.1)  1.260 ms  1.423 ms  1.425 ms
 3  10.1.2.1 (10.2.1.1)  0.824 ms  1.197 ms  1.614 ms
 4  10.0.10.1 (10.0.10.1)  0.504 ms  0.534 ms  0.542 ms
 5  10.0.13.2 (10.0.13.2)  4.714 ms  4.895 ms  5.053 ms
 6  10.3.18.66 (10.3.18.66)  0.477 ms  0.428 ms  0.414 ms

在wireshark中可以看的更清楚:

Extended Security (with option length = 2 bytes; should be >= 3)

我们发了一个奇怪的包= =

ICMP Usage in Scanning中详述了使用这些技术探测ACL(访问控制列表)的神奇应用。

接着我们试试奇葩的protocol字段:

>>> ip.proto=155
>>> ip.show()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= 155
  chksum= None
  src= 10.210.96.200
  dst= 10.3.18.231
  \options\
###[ UDP ]###
     sport= domain
     dport= domain
     len= None
     chksum= None
>>> send(ip)
.
Sent 1 packets.

产生了一个destination unreachable(protocol unreachable)的错误报文。

 ~ ⮀ sudo tcpdump -i eth0 "icmp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:43:14.737608 IP 10.3.18.231 > 10.210.96.200: ICMP 10.3.18.231 protocol 155 unreachable, length 36

该技术可用于主机发现,用nmap也可以结合各种协议来进行ACL的探测。

sudo nmap -sO 10.3.18.66

这是部分抓到的包:

 ~ ⮀ sudo tcpdump "icmp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:51:15.618473 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 15 unreachable, length 28
15:51:16.719654 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 241 unreachable, length 28
15:51:17.820941 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 176 unreachable, length 28
15:51:18.922155 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 126 unreachable, length 28
15:51:19.427885 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 184 unreachable, length 28
15:51:20.434376 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 45 unreachable, length 28
15:51:21.455654 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 59 unreachable, length 28
15:51:22.466907 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 37 unreachable, length 28
15:51:23.478382 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 233 unreachable, length 28
15:51:24.492506 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 162 unreachable, length 28
15:51:25.531125 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 72 unreachable, length 28
15:51:26.452325 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 255 unreachable, length 28
15:51:27.473618 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 58 unreachable, length 28
15:51:28.415352 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 25 unreachable, length 28
15:51:29.435785 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 169 unreachable, length 28
15:51:30.456992 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 206 unreachable, length 28
15:51:31.478499 IP 10.3.18.66 > 10.210.96.200: ICMP 10.3.18.66 protocol 28 unreachable, length 28
15:51:31.527789 IP 10.210.96.200 > 10.3.9.4: ICMP 10.210.96.200 udp port 48089 unreachable, length 72
15:51:31.527806 IP 10.210.96.200 > 10.3.9.4: ICMP 10.210.96.200 udp port 55862 unreachable, length 72

ICMP Ip Reassembly Time Exceeded

我们可以故意把发送不完整的IP分片。来探测主机,当对一个网络实行这个伎俩时,就可以探测整个网络拓扑。

>>> ip = IP()/TCP()/"abcdefg"
>>> ip.flags=1
>>> ip.dst='10.3.18.66'
>>> ip.show()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= MF
  frag= 0
  ttl= 64
  proto= tcp
  chksum= None
  src= 10.210.96.200
  dst= 10.3.18.66
  \options\
###[ TCP ]###
     sport= ftp_data
     dport= http
     seq= 0
     ack= 0
     dataofs= None
     reserved= 0
     flags= S
     window= 8192
     chksum= None
     urgptr= 0
     options= {}
###[ Raw ]###
        load= 'abcdefg'
>>> send(ip)
.
Sent 1 packets.

过了好久好久,返回一个重组分片超时IMCP错误

~ ⮀ sudo tcpdump -i eth0 "icmp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:29:22.186723 IP 10.3.18.66 > 10.210.96.200: ICMP ip reassembly time exceeded, length 52

不是所有主机都会对这个响应。我试了试局域网内有的设备就没反应= =。

但这个端口不需要打开,试试81端口(确认此台机器没有打开81端口)也是直接返回ICMP超时错误。操作系统会直接处理报文并返回错误消息。

我又试了试UDP:

不管你是不是扫描打开的端口,都返回同样的超时错误:

>>> ip[1]=UDP()
>>> ip.show()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= MF
  frag= 0
  ttl= 64
  proto= udp
  chksum= None
  src= 10.210.96.200
  dst= 10.210.96.195
  \options\
###[ UDP ]###
     sport= domain
     dport= domain
     len= None
     chksum= None
>>> ip[1].dport=80
>>> ip.dst
'10.210.96.195'
>>> ip.dst='10.3.18.66'
>>> send(ip)
.
Sent 1 packets.
>>> ip[1].dport=81
>>> send(ip)
.
Sent 1 packets.

 ~ ⮀ sudo tcpdump -i eth0 "host 10.3.18.66"   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:46:46.455970 IP 10.210.96.200.domain > 10.3.18.66.http: [|domain]
16:47:16.455677 IP 10.3.18.66 > 10.210.96.200: ICMP ip reassembly time exceeded, length 36
16:47:29.237026 IP 10.210.96.200.domain > 10.3.18.66.hosts2-ns: [|domain]
16:47:59.236648 IP 10.3.18.66 > 10.210.96.200: ICMP ip reassembly time exceeded, length 36

这和前文提到的ICMP Usage in Scanning所说的不一样!!!!!

我懒得再试其它机器和封装个ICMP包的例子了。

好吧,还是试了试,一个没反应。一个对开放端口(22)和非开放端口(23)都返回同样值。

>>> ip.dst='10.210.96.210'
>>> send(ip)
.
Sent 1 packets.
>>> ip.dst='10.210.96.195'
>>> ip[1].dport=22
>>> send(ip)
.
Sent 1 packets.
>>> ip[1].dport=23
>>> send(ip)
.
Sent 1 packets.

16:58:25.736005 IP 10.210.96.200.ftp-data > 10.210.96.195.ssh: Flags [S], seq 0, win 8192, length 0
16:58:55.765861 IP 10.210.96.195 > 10.210.96.200: ICMP ip reassembly time exceeded, length 44
16:59:15.097094 IP 10.210.96.200.ftp-data > 10.210.96.195.telnet: Flags [S], seq 0, win 8192, length 0
16:59:45.171689 IP 10.210.96.195 > 10.210.96.200: ICMP ip reassembly time exceeded, length 44

和文档描述的不相同,但只要有ICMP报文返回,说明主机是打开的。(好像没什么用…)

UDP扫描

结合各种协议和端口,探测内网拓扑。

比如,我们可以先用nmap ping 扫射下某网段,然后分别试着尝试协议端口。

>>> ip[1]=UDP()
>>> ip.show()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= udp
  chksum= None
  src= 10.210.96.200
  dst= 10.3.18.66
  \options\
###[ UDP ]###
     sport= domain
     dport= domain
     len= None
     chksum= None
>>> send(ip)
.
Sent 1 packets.

 ~ ⮀ sudo nmap -sP 10.3.18.66/24 
Nmap scan report for 10.3.18.213
Host is up (0.00052s latency).
Nmap scan report for 10.3.18.231
Host is up (0.00052s latency).
Nmap scan report for 10.3.18.232
Host is up (0.00038s latency).

>>> ip.dst='10.3.18.230'
>>> send(ip)
.
Sent 1 packets.
>>> ip.dst='10.3.18.231'
>>> send(ip)
.
Sent 1 packets.

只有10.3.18.231这个活着的机器有返回destination unreachable(Port unreachable)报文。

 ~ ⮀ sudo tcpdump -i eth0 "icmp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:39:12.697553 IP 10.3.18.231 > 10.210.96.200: ICMP 10.3.18.231 udp port domain unreachable, length 36

分片与MTU

我的意思是,恰巧目标网络的MTU比上一跳网络的MTU小,如果我们设置DF标志为1,同时让IP数据包的值介于两者之间,然后倒霉的内网路由器就会发回Fragmentation Needed ICMP报文。

该死的我没找到比我更小的MTU网段了。现在无线网没人用了?

Inverse Mapping

大多数防火墙不过滤ICMP reply。

假设我们的ip是10.210.96.20010.210.97.195是存在的。而10.210.97.196不在线。

>>> icmp = IP()/ICMP()
>>> icmp.dst='10.210.97.195'
>>> icmp.show()
###[ IP ]###
  version= 4
  ihl= None
  tos= 0x0
  len= None
  id= 1
  flags= 
  frag= 0
  ttl= 64
  proto= icmp
  chksum= None
  src= 10.210.96.200
  dst= 10.210.97.195
  \options\
###[ ICMP ]###
     type= echo-reply
     code= 0
     chksum= None
     id= 0x0
     seq= 0x0
>>> send(icmp)
.
Sent 1 packets.

 ~ ⮀ sudo tcpdump -i eth0 "host 10.210.97.195"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:51:47.187719 IP 10.210.96.200 > 10.210.97.195: ICMP echo reply, id 0, seq 0, length 8
22:51:47.188369 IP 10.210.97.195 > 10.210.96.200: ICMP 10.210.97.195 protocol 1 unreachable, length 36

发现10.210.97.195竟然尼码响应了!!!!!!协议不可到达!!

不存在的ip地址则没有响应!这尼码完全和上文提到的ICMP Usage in Scanning说的相反好么!!!

>>> icmp.dst='10.210.97.196'
>>> send(icmp)
.
Sent 1 packets.

~ ⮀ sudo tcpdump -i eth0 "host 10.210.97.196"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:56:15.725836 IP 10.210.96.200 > 10.210.97.196: ICMP echo reply, id 0, seq 0, length 8

不过后来找到个在线的10.210.97.200也不响应。

>>> icmp.dst='10.210.97.200'
>>> send(icmp)
.
Sent 1 packets.

 ~ ⮀ sudo tcpdump -i eth0 "host 10.210.97.200"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:59:10.235963 IP 10.210.96.200 > 10.210.97.200: ICMP echo reply, id 0, seq 0, length 8

 ~ ⮀ ping 10.210.97.200
PING 10.210.97.200 (10.210.97.200) 56(84) bytes of data.
64 bytes from 10.210.97.200: icmp_seq=1 ttl=63 time=0.520 ms
64 bytes from 10.210.97.200: icmp_seq=2 ttl=63 time=0.559 ms

丧心病狂,说明路由存在ip就转发了,不存在就默默丢弃了。至于10.210.97.195是什么毛病会给我个协议不可达(它可能是个路由器)……Who can tell me...

ICMP与操作系统探测

ICMP Usage in Scanning的作者也是xprobe的作者,我不打算继续玩ICMP这项深坑了:

# eix xprobe
* net-analyzer/xprobe
     Available versions:  ~0.3
     Homepage:            http://sys-security.com/blog/xprobe2
     Description:         Active OS fingerprinting tool - this is Xprobe2

ICMP source quench

应该被废弃的(2012年的RFC6633)协议,流量控制应该交给TCP来做。如果要伪造需要猜测TCP序号,端口号等(前八字节)。

我试着发了发包……看样子路由比我的网卡强大太多了。

ICMP 重定向

扔一个参考资料,用hping的How To – Poison Route Cache Using ICMP Redirect

待我哪天土豪了再说吧……最起码现在我的安卓功能受限,总之我没模拟出来啥效果。反正我在一个网段试了试完全没动静。其实我觉得应该现在操作系统都会检查ICMP报文中的IP报头和IP报文数据前八字节吧。那又得猜TCP端口号和序列号了不是?

FIXME:ICMP Tunnel,有空试试。