Introduction to advanced scanning technology and principles (1)

Scan is the basis for all intrusions. There are many host detection tools, such as the well-known nmap. I don't have any new technologies here. They are old things and old things. Even if I have been referring to the Phrack document or even a 96-year old document, I just picked people up.

The most basic test is Ping, but now even the basic personal firewall limits Ping, which is too basic. How to obtain the ideal target chart through the firewall is also a problem that many people think about all day long.

I. Advanced ICMP scan technology

Ping uses the ICMP protocol. Here we mainly use the most basic purpose of the ICMP protocol: report an error. If an error occurs according to the network protocol, the receiving end generates an ICMP error message. These error messages are not sent proactively, but are automatically generated according to the Protocol due to errors.

When the checksum and version of the IP datagram are incorrect, the target host discards the datagram. If the checksum error occurs, the router directly discards the datagram. Some hosts, such as AIX and HP-UX, do not send ICMP Unreachable datagram.

We use the following features:

1. Send an IP packet with only the IP header to the target host. The target will return the ICMP Error Message Destination Unreachable.

2. Send a bad IP datagram to the target host. For example, if the IP header length is incorrect, the target host will return the ICMP error message of Parameter Problem.

3. When the data packet is sharded but the data packet is not sharded enough to the receiver, the receiver's multipart assembly time-out will send the ICMP datagram with the multipart assembly time-out.

An IP datagram is sent to the target host, but the Protocol items are incorrect. For example, if the protocol item is unavailable, the target will return the ICMP packet of Destination Unreachable, however, if there is a firewall or another filter device in front of the target host, the request may be filtered out and no response is received. A very large number of protocol numbers can be used as the Protocol content of the IP header, and this Protocol number is at least not used today, the host must return Unreachable, if no error message is returned for the Unreachable ICMP datagram, it indicates that it is filtered out by the firewall or other devices. We can also use this method to detect whether a firewall or other filtering device exists.

The Protocol items of IP addresses are used to detect which protocols are being used by the host. We can change the Protocol items of IP addresses because they are 8-bit and there are 256 possibilities. The ICMP error message returned by the target is used to determine which protocols are in use. If Destination Unreachable is returned, the host does not use this Protocol. On the contrary, if nothing is returned, the host may use this protocol, but may also be filtered out by the firewall. NMAP's IP Protocol scan uses this principle.

Using IP fragmentation to cause the assembly of timeout ICMP error messages can also achieve our testing purpose. When the host receives a data packet that has lost parts and does not receive the data packet within a certain period of time, the entire packet is discarded and an ICMP part assembly timeout error is sent to the original sender. We can use this feature to create fragmented data packets and wait for ICMP to assemble timeout error messages. You can partition UDP or TCP or ICMP data packets, as long as the target host is not allowed to obtain the complete data packet. Of course, for a non-connection unreliable protocol such as UDP, if we do not receive the ICMP return report with a timeout error, it may also be lost during transmission due to line or other problems.

We can use these features to obtain the firewall's ACL (access list), and even use these features to obtain the entire network topology. If we cannot get the Unreachable message from the target or assemble the timeout error message in parts, we can make the following judgment:

1. The firewall filters out the protocol types we send

2. the firewall filters out the specified port.

3. The firewall blocks the ICMP Destination Unreachable or Protocol Unreachable error message.

4. The firewall blocks ICMP error packets on the specified host.