Nmap Announce mailing list archives
ICMP Usage In Scanning v2.0 - Research Paper
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Fri, 1 Sep 2000 20:56:46 +0200
I have finished the second version of my research paper "ICMP usage in scanning". The first version was published in July 1st, 2000. Introduction to Version 2.0 Quite a large number of new OS fingerprinting methods using ICMP, which I have discovered are introduced with this revision. Among those methods, some can be used in order to identify Microsoft Windows 2000 machines; One would allow us to distinguish between Microsoft Windows operating system machines and the rest of the world; Another would allow us to distinguish between SUN Solaris machines and the rest of the world. More methods are introduced in the paper. I have also tried to be accurate as possible with data presented in this paper. Few tables have been added to the paper mapping the behavior of the various operating systems I have used. These tables describe the results I got from the various machines after querying them with the various tests introduced with this paper. I have also corrected and tuned the information, trying to pinpoint exactly which OS will do what. I hope the second version would be beneficial in understanding the hazards the ICMP protocol introduce if you do not filter it correctly. For corrections/ additions/ suggestions for this research paper, please send email to ofir () itcon-ltd com. Further Information and updates would be posted to http://www.sys-security.com.
From the Introduction to Version 1.0:
"The Internet Control Message Protocol is one of the debate full protocols in the TCP/IP protocol suite regarding its security hazards. There is no consent between the experts in charge for securing Internet networks (Firewall Administrators, Network Administrators, System Administrators, Security Officers, etc.) regarding the actions that should be taken to secure their network infrastructure in order to prevent those risks. In this paper I have tried to outline what can be done with the ICMP protocol regarding scanning." The paper deals with plain Host Detection techniques, Advanced Host Detection techniques, Inverse Mapping, Trace routing, OS finger printing methods with ICMP, and which ICMP traffic should be filtered on a Filtering Device. The paper can be downloaded from http://www.sys-security.com. http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf. ~600kb. http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.ps. ~2.55mb. Cheers Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer." -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- ICMP Usage In Scanning v2.0 - Research Paper Ofir Arkin (Sep 01)