ICMPv6 Scanning

I have touched on this topic in a previous post, however I would like to revisit the topic. Why would we want to perform ICMP scanning, I say why not. Everybody is always talking about performing port scans but never ICMP scans, I say ICMP should get equal time with TCP and UDP.

I know you probably have not heard of many flaws concerning ICMP but it happens. Example, I was testing an IPv6 stack trying to determine if their were any flaws. Found that by sending the target computer a ICMP Reply caused the target computer to send out an ICMP Request. How does this help an attacker - the target computer was running a firewall and it was set to block ICMP requests coming in, however since the target computer was sending out a ICMP request, the firewall did not block this (You might think the firewall should block random ICMP replies coming in, but it didn't). So this gives an attacker a way to scan the local lan and determine valid addresses of computers.

A little background, ICMP packets are defined by a type and code field. Each field is an 8 bit field meaning there are 256 possible combinations (0-255), so you have 256 codes for each of the 256 types. If you take a look at the RFC's, you will see not all the type and code combinations are valid, or are considered reserved or undefined (More Information). As part of a thorough security test, we should send the computer we are testing every possible combination and see what happens. This does not take up much time, and has very interesting results sometimes.

For this example I am going to concentrate on ICMPv6 scanning. Basic setup is a laptop running Fedora Core 6 (FC6) connected to the target computer through a generic hub. The FC6 computer has wireshark and the THC IPv6 libraries installed. Both computers have IPv6 enabled (you can give the FC6 an ipv6 address by using the ifconfig command). I have talked about performing this scan with NETWOX, however NETWOX will not send out undefined types and codes, so this is why we are using the libraries. Basically we start up wire shark to capture all the packets on the network and then use the THC IPv6 libraries to send out one ICMPv6 packet for each type and code. When performing the scan I usually set a display filter in wireshark to only display responses from the target computer. Note on IPv6, the protocol IPv6 gives the host two addresses a global address and an link-local address (info). The link-local address starts with fe80 and the global is basically everything else. I suggest performing the scan with both link-local and global addresses, you usually find differences.

I am posting the c-code I used to accomplish this scanning, again the formatting of the code gets thrown off when I paste it into the blog - so I apologize. Basically the code sets up two loops in order to scan all types and codes - it should be pretty self explanatory.

My main point is security professionals should be concerned with ICMP scanning instead of leaving it by the wayside. Happy Scanning!

(I scrapped the code together from memory and other sources, because I did not have access to my program when writing this post, however it should be enough to get you started)

#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "unistd.h"
#include "sys/types.h"
#include "sys/time.h"
#include "sys/resource.h"
#include "sys/wait.h"
#include "stdlib.h"
#include "time.h"
#include "pcap.h"
#include "thc-ipv6.h"
//all the includes are not needed, but I got lazy
//also I replaced the <> with " because blogger kept deleting the includes

int main(int argc, char *argv[]){

unsigned char *src6, *dst6, *dst61, *src61;
unsigned char *src61, *src612, *h;
unsigned char buf[1000];
int pkt_len = 600;
char *interface;
unsigned char *pkt = NULL;
int rawmode = 0, buf_len = 0;
unsigned char *srcmac, *dstmac; //can define as null to auto generate
int type, code, flags=0, checksum=0, i, j=0;
thc_ipv6_hdr *hdr;


//Initializing Variables
rawmode = 1;
interface = "eth0";
// source and destination ipv6 addresses
src6 = "fe80000000000000020bdbfffe1e580c\0";
dst6 ="fe800000000000001c26fea710f768fd\0";

src61 = thc_string2ipv6(src6);
dst61 = thc_string2ipv6(dst6);
printf("Sending Packets to %s\n", dst6);

srcmac = thc_get_own_mac(interface);
dstmac= thc_get_mac (interface, src61, dst61);

for (type=0; type<256;type++)
{
for (code=0; code<256;code++)
{

//build the packet

if ((pkt = thc_create_ipv6(interface, PREFER_GLOBAL, &pkt_len, src61, dst61, 60, 0, 0, 0, 0)) == NULL)
printf ("Packet Creation Failed\n");

//add icmp part
if (thc_add_icmp6(pkt, &pkt_len, type, code, flags, NULL, 0, checksum)<0)
return -1;

//generate packet

if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) <0)
{
printf("generate failed\n");
return -1;
}

// send the packet out

if (thc_send_pkt(interface, pkt, &pkt_len) <0)
printf ("packet not sent \n");

thc_destroy_packet(pkt); //destroy the packet
usleep(1000);

}
}
return 0;
}