Date: Fri, 1 Sep 2000 20:56:48 +0200 From: Ofir Arkin <ofir@ITCON-LTD.COM> Subject: ICMP Usage In Scanning v2.0 - Research Paper To: BUGTRAQ@SECURITYFOCUS.COM I have finished the second version of my research paper "ICMP usage in scanning". The first version was published in July 1st, 2000. Introduction to Version 2.0 Quite a large number of new OS fingerprinting methods using ICMP, which I have discovered are introduced with this revision. Among those methods, some can be used in order to identify Microsoft Windows 2000 machines; One would allow us to distinguish between Microsoft Windows operating system machines and the rest of the world; Another would allow us to distinguish between SUN Solaris machines and the rest of the world. More methods are introduced in the paper. I have also tried to be accurate as possible with data presented in this paper. Few tables have been added to the paper mapping the behavior of the various operating systems I have used. These tables describe the results I got from the various machines after querying them with the various tests introduced with this paper. I have also corrected and tuned the information, trying to pinpoint exactly which OS will do what. I hope the second version would be beneficial in understanding the hazards the ICMP protocol introduce if you do not filter it correctly. For corrections/ additions/ suggestions for this research paper, please send email to ofir@itcon-ltd.com. Further Information and updates would be posted to http://www.sys-security.com. From the Introduction to Version 1.0: "The Internet Control Message Protocol is one of the debate full protocols in the TCP/IP protocol suite regarding its security hazards. There is no consent between the experts in charge for securing Internet networks (Firewall Administrators, Network Administrators, System Administrators, Security Officers, etc.) regarding the actions that should be taken to secure their network infrastructure in order to prevent those risks. In this paper I have tried to outline what can be done with the ICMP protocol regarding scanning." The paper deals with plain Host Detection techniques, Advanced Host Detection techniques, Inverse Mapping, Trace routing, OS finger printing methods with ICMP, and which ICMP traffic should be filtered on a Filtering Device. The paper can be downloaded from http://www.sys-security.com. http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf. ~600kb. http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.ps. ~2.55mb. Cheers Ofir Arkin [ofir@itcon-ltd.com] Senior Security Analyst ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer."