Icmpenum v 1.1

RAZOR Sr. Security Analyst
BindView Corporation

Chief Gray Hat
Nomad Mobile Research Centre

Host enumeration is the act of determining the IP address of potential targets on a network. Icmpenum uses not only ICMP Echo packets to probe networks, but also ICMP Timestamp and ICMP Information packets as well. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks who block ICMP Echo packets but have failed to block Timestamp or Information packet, or for upstream sniffing of trusted addresses.

This is a proof-of-concept tool to demonstrate possible distributed attacking concepts, such as sending packets from one workstation and sniffing the reply packets on another.

1. Install the latest libpcap (libpcap 0.4, ftp://ftp.ee.lbl.gov/libpcap.tar.Z).

2. Install the latest Libnet (http://www.packetfactory.net/libnet/).

3. Compile icmpenum as follows:

gcc `libnet-config --defines` -o icmpenum icmpenum.c -lnet -lpcap

4. Copy icmpenum to your fave directory and (as root) start enumerating.

Running icmpenum -h gives you the following screen:

# ./icmpenum -h

USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts

opts are h n p r v

-h this help screen

-n no sending of packets

-p promiscuous receive mode

-r receiving packets only (no

-v verbose

-c class C in x.x.x.0 form

-i icmp type to send/receive, types include the following:

1 echo/echo reply (default)

2 timestamp request/reply

3 info request/reply

-d device to grab local IP or sniff from, default is eth0

-s spoofed source address

-t time in seconds to wait for all replies (default 5)

host(s) are target hosts (ignored if using -c)

Here are some example uses of icmpenum to enumerate hosts.

Example 1:

[Host1]# icmpenum 192.168.1.1 192.168.1.2

This will use the default of Echo packets to try and determine if 192.168.1.1 and 192.168.1.2 are up and running.

Example 2:

[Host1]# icmpenum -i 2 -v 192.168.100.100 192.168.100.200

This will enumerate the two hosts using Timestamp packets in verbose mode.

Example 3:

[Host1]# icmpenum -i 3 -s 10.10.10.10 -p -v 192.168.1.1 192.168.1.2

This will enumerate hosts 192.168.1.1 and 192.168.1.2 using Information packets with a spoofed address of 10.10.10.10, since our real address is 10.10.10.11 we use the -p option to listen for the replies.

Here are some more advanced uses of icmpenum.

Example 4:

Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that the network 1.1.1.0 has potential hosts to enumerate, we use the following two entries to enumerate with Information packets:

[Host2]# icmpenum -r -t 30 -i 3 -c 1.1.1.0

[Host1]# icmpenum -s 7.7.7.7 -i 3 -c 1.1.1.0

Host2 starts first in receive mode with a timeout of 30 seconds and starts listening for Information packets from the 1.1.1.0 network. Then Host1 starts sending spoofed packets with Host2 as the source address, sending exactly what Host2 is listening for. It should be noted that this is hardly stealthy, as logs at 1.1.1's site could have 7.7.7.7's address all over them, but the -r function is good for testing.

Example 5:

Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that Host2 can sniff traffic between 1.1.1.0 and 2.2.2.0, we use the following entries to enumerate the 1.1.1.0 network:

[Host2]# icmpenum -t 20 -n -p -i 2 -c 1.1.1.0

[Host1]# icmpenum -s 2.2.2.2 -i 2 -c 1.1.1.0

Host2 starts first with a timeout of 20 seconds, makes sure not to send the packets with the -n option, listens promiscuously for Timestamp packets from the 1.1.1.0 network. Host1 sends the exact packets Host2 is listening for with a 2.2.2.2 spoofed source address. Yes, one could simply replace the -n option in Host2's command line with -s 2.2.2.2 and do the same thing from one workstation, but we're demonstrating a distributed concept.

As stated, this demonstrates distributed host enumeration. The code actually works, and can be used for both good and evil purposes. Both admins testing their networks and bad guys probing will find uses for icmpenum. For example, the verbose mode will not only report the total number of expected packets received (when in a receiving mode), but also "unexpected" ICMP packets going to the addresses being targeted. If countermeasures are in place to "probe the prober", these packets could show up in the "unexpected" count. If you're testing your countermeasures, you can determine if they are working. If you're a black hat, you've possibly been detected. If fact, you get a couple of expected packets back the first volley yet no packets after that on repeated vollies to the same addresses, you might have tripped an intrusion detection system into shutting off your spoofed source address. Once again, admins can test their IDS, and bad guys can counterdetect the IDS in action. In fact, a really mean bad guy might start forging probes from the target's business partners and big customers to start a "denial of service".

Bugs and comments are welcome. Send them to me at thegnome@nmrc.org (at home) or at thegnome@razor.bindview.com (at work).

Shouts to my fellow BindView RAZOR team homies, for allowing me to bug them with annoying questions about ICMP and networking, and providing encouragement and pointers regarding coding.

Simple Nomad

28Jan2000