ICMP Exploitation Methods & Vulnerabilities
Address Resolution
Protocol (ARP) Header
·
Standard length is 28
Bytes with an optional trailer of 36 Bytes.
Hardware Type
·
2 Bytes. For class
will always be 00 01, for ethernet.
1st item in the ARP Header.
Protocol Type
·
2 Bytes. For IP, value
is set to 08 00.
2nd item in the ARP Header.
Hardware Size
·
1 Byte. A value of 2
is used for 16-bit addresses and a value of 6 is used for 48-bit Ethernet
addresses (MAC). 3rd item in the ARP Header.
Protocol Size
·
1 Byte. Value of 4
represents size of IPv4 address in bytes.
4th item in the ARP Header.
OPCODE
·
2 Bytes. ARP function
being performed.
00 01 = Request
00 02 = Reply
5th item in the ARP Header
Source MAC Address
·
6 Bytes. Lines up with
the SMAC from the Ethernet Header.
6th item in the ARP Header
Source IP Address
·
4 Bytes. This is the
IP address of the originator of the traffic.
7th item in the ARP Header
Target MAC Address
·
6 Bytes. In a request
= 00 00 00 00 00 00. In a reply this is set to the originators MAC address.
8th item in the ARP Header.
Target IP Address
·
4 Bytes. In a request
this indicates the known IP for which MAC address is being requested. In a
reply this indicates the IP address of the request originator.
9th item in the ARP Header.
IPv4 Header
·
Minimum length = 20
Bytes, Maximum length = 60 Bytes.
IP Version
·
4 Bits. Format of the
Internet Header. 4 indicates IPv4 and 6 indicates IPv6.
1st item in the IPv4 Header.
IP Header Length (IHL)
·
4 Bits. Specifies the
size of the header, minimum value is 5 (20) and max value is hex F (60) [F =
15]. To find actual size multiply the value by 4; EX F 4 = 15 4
= 60.
2nd item in the IPv4 Header.
Type of Service (TOS)
·
1 Byte. An abstract
parameter of the quality of service desired. For class will always be 00. In
real world it allows the assignment of priorities to different types of
traffic.
3rd item in the IPv4 Header.
Total IP Length
·
2 Bytes. Minimum = 20
Bytes, Maximum = 65,535
Max = 05 DC = 1500 Decimal
4th item in the IPv4 Header.
Identification
·
2 Bytes. Identifying
value assigned by the sender to aid in assembling fragments of a datagram.
5th item in the IPv4 Header.
IP Flags
·
3 Bits. Field used to
identify whether the datagram can be fragmented and if the receiving host
should expect more fragmented packets for this datagram. Will be:
0: May Fragment or Last Fragment
2: There are more Fragments
4: Don't Fragment
6th item in the IPv4 Header.
Fragment Offset
·
13 Bits. Indicates
where in the datagram this fragment belongs.
7th item in the IPv4 Header.
Time to Live (TTL)
·
1 Byte. Used to
discard undeliverable datagrams.
8th item in the IPv4 Header.
Next Protocol
·
1 Byte. Identifies the
next protocol that is used in the data portion of the datagram.
9th item in the IPv4 Header.
Common Values for Next
Protocol
·
x01
-- 1 -- ICMP (Layer 3)
B. x02 -- 2 -- IGMP
C. x06 -- 6 -- TCP
D. x08 -- 8 -- EGP
E. x11 -- 17 -- UDP
F. x58 -- 88 -- IGRP
G. x59 -- 89 -- OSPF
Most common in class
10th item in the IPv4 Header.
IP Header Checksum
·
2 Bytes. Sequence
number of IP header only.
11th item in the IPv4 Header.
Source IP Address in
IPv4
·
4 Bytes. Source IP
address.
12th item in the IPv4 Header
Target IP Address in
IPv4
·
4 Bytes. Destination
IP address.
13th item in the IPv4 Header.
Options
·
May or may not appear
in the datagram.
14th item in the IPv4 Header.
Padding
·
Pads the IP header to
ensure it ends on a 32 bit boundary. Minimum length is 0.
15th item in the IPv4 Header.
IPv6 Header
·
Fixed size of 40
Bytes.
IP Version IPv6
·
4 Bits. Format of the
Internet Header.
1st item in the IPv6 Header.
Traffic Class
·
8 Bits. Packet
Priority.
2nd item in the IPv6 Header.
Flow Label
·
20 Bits. Used for
Quality of Service (QoS) management.
3rd item in the IPv6 Header.
Payload Length
·
2 Bytes. Length of
payload measured in octet. Does not include the IPv6 Header.
4th item in the IPv6 Header.
Next Header
·
1 Byte. Type of next
header, either an options header but usually specifies a protocol header (x06 =
TCP, x11 = UDP, x3A = ICMPv6).
5th item in the IPv6 Header.
Hop Limit
·
1 Byte. Number of
routing devices packet can pass through before considered undeliverable.
6th item in the IPv6 Header.
Source Address
·
16 Bytes. Address of
originating device.
7th item in the IPv6 Header.
Analyzing
Fragmentation
·
1: Determine the total
IP length (TIPL).
2: Determine the IP header length (IPHL).
3: Calculate the payload size (TIPL - IPHL = Payload).
4: Calculate the fragment offset (FO).
5: Calculate the fragment that the packet capture provided you.
6: Calculate the next fragment. Will either have a leading 2 (indicates more
fragments) or 0 (indicates last fragment).
ICMP
·
Provides error
reporting, flow control, and first hop gateway redirection.
ICMP Header
·
Fits in the packet
immediately following the IP header.
ICMP Message Types
·
0: Echo Reply
3: Destination Unreachable
5: Redirect
8: Echo Request
11: Time to Live Exceeded
Error Message Data
Portion
·
Must contain the
original (offending) IP header including all options plus at least eight bytes
of additional data, per the RFC.
ICMP Type 3 Code Field
Values
·
ICMP
Type 3 Only
0: Network Unreachable, cant reach requested network.
1: Host Unreachable, cant reach requested host.
2: Protocol Unreachable, target host cant find protocol.
3: Port Unreachable, target host port is not available.
13: Communication administratively prohibited, prohibited generated, if a
router cant forward a packet due to administrative filtering.
ICMP Exploitation
Methods & Vulnerabilities
·
DoS exploits.
2. Netmask requests for enumeration.
3. ICMP redirect exploitation for MITM (man in the middle) exploits.
4. Payload can be used to transmit data through firewalls and proxies where
ICMP messages are allowed but other communications may be denied.
5. Some DDoS exploits such as the tinoo exploit used ICMP messages with
specific payloads to activate the remote slave hosts.
USA 
India