ICMP Error Message Echoing Integrity Probe
Attack Pattern ID: 330 (Detailed Attack Pattern)Typical Severity: LowStatus: Draft
+ Description

Summary

An attacker uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message. For this purpose "Port Unreachable" error messages are often used, as generating them requires the attacker to send a UDP datagram to a closed port on the target. When replying with an ICMP error message some IP/ICMP stack implementations change aspects of the IP header, change or reverse certain byte orders, reset certain field values to default values which differ between operating system and firmware implementations, and make other changes. Some IP/ICMP stacks are decidedly broken, indicating a idiosyncratic behavior that differs from the RFC specifications, such as the case when miscalculations affect a field value. A tremendous amount of information about the host operating system can be deduced from its 'echoing' characteristics. Notably, inspection of key protocol header fields, including the echoed header fields of the encapsulating protocol can yield a wealth of data about the host operating system or firmware version.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: ICMP
Protocol Header 1
Protocol RFCProtocol Field NameProtocol Field DescriptionProtocol Operation CodeProtocol Data
RFC 792
Type
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
8
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites

The ability to send a UDP datagram to a closed port and recieve an ICMP Error Message Type 3, "Port Unreachable."

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern316ICMP Fingerprinting Probes 
Mechanism of Attack (primary)1000
+ References
Stuart McClure, Joel Scambray, George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Defense Advanced Research Projects Agency (DARPA). "RFC792 - Internet Control Messaging Protocol". 1981. <http://www.faqs.org/rfcs/rfc792.html>.
Defense Advanced Research Projects Agency (DARPA). "RFC1122 - Requirements for Internet Hosts - Communication Layers". 1981. <http://www.faqs.org/rfcs/rfc1122.html>.
Ofir Arkin, et.al. "A Remote Active OS Fingerprinting Tool using ICMP". 2008. <http://ofirarkin.files.wordpress.com/2008/11/login.pdf>.
Back to top