ICMP Ping

A classical way to discover hosts on the network is to send ICMP Echo request (Type 8) which should prompt target hosts to respond with ICMP Echo reply messages. This communication looks like this:

0.000000 192.168.1.100 -> 192.168.1.1  ICMP Echo (ping) request
0.002329  192.168.1.1 -> 192.168.1.100 ICMP Echo (ping) reply

It is common to use ICMP of different types such as Timestamp request (Type 13) and Address Mask request (Type 18) to illicit replies from hosts which filter the standard ICMP Echo request:

0.000000 192.168.1.100 -> 192.168.1.1  ICMP Timestamp request
0.000539  192.168.1.1 -> 192.168.1.100 ICMP Timestamp reply

NOTE: ICMP packets are often filtered.

TCP Ping

The attacker may learn about existences of network connected hosts based on their replies to open and closed TCP ports.

TCP SYN Ping

One way to learn about connected hosts is to send the first part of the three way handshake - SYN packet - to a range of hosts and document any replies. Since we can learn about host's existence from either open or closed TCP ports, we can increase the reliability of the scan by targeting a frequently opened port 80 and a frequently closed port 0. This approach is similar to SYN Scan.

In this example we will attempt to SYN Ping 192.168.1.1 port 53.

0.000000 192.168.1.100 -> 192.168.1.1  TCP 1243 > domain [SYN] Seq=0 Len=0
0.000461  192.168.1.1 -> 192.168.1.100 TCP domain > 1243 [RST, ACK] Seq=3538621942 Ack=1 Win=0 Len=0

Even with a closed port, we can still conclude an active system.

TCP ACK Ping

ACK Ping works precisely like SYN Pings, but it relies on ACK packets instead. This method is based on ACK Scan where either closed or open ports on the target system produce a RST response which is enough to reveal the host is up.

0.000000 192.168.1.100 -> 192.168.1.1  TCP 2903 > domain [ACK] Seq=0 Ack=0 Win=512 Len=0
0.000414  192.168.1.1 -> 192.168.1.100 TCP domain > 2903 [RST] Seq=0 Len=0

We received RST back thus revealing an active system.

Note: This method is effective for evading non-stateful firewalls.

TCP FIN, NULL, Xmas Ping

FIN Ping works by generating a RST response for closed ports as described in TCP FIN, NULL, Xmas Scans. Such pings must be sent to closed ports to produce responds such as port 0:

0.000000 192.168.1.100 -> 192.168.1.1  TCP 1624 > 0 [FIN] Seq=0 Len=0
0.000498  192.168.1.1 -> 192.168.1.100 TCP 0 > 1624 [RST, ACK] Seq=3959530871 Ack=1 Win=0 Len=0

UDP Ping

This scan approach works similar to UDP Scan in that it expects closed ports to produce ICMP port unreachable error. Once again we will be using port 0 as the one unlikely to be open:

0.000000 192.168.1.100 -> 192.168.1.1  UDP Source port: 1285  Destination port: 0
0.000733  192.168.1.1 -> 192.168.1.100 ICMP Destination unreachable (Port unreachable)

NOTE: This method is highly effective for evading firewalls that do not filter UDP packets.

ARP Ping

This method is useful for host discovery on a local Ethernet LAN. This method is faster and more reliable than approaches relying on protocols higher up in the networking stack.

221.788823 00:01:02:03:04:05 -> Broadcast    ARP Who has 192.168.1.1?  Tell 192.168.1.100
221.789179 00:06:07:08:09:10 -> 00:01:02:03:04:05 ARP 192.168.1.1 is at 00:06:07:08:09:10

IP Protocol Ping

This method attempts to illicit host response by sending raw IP packets with varying protocol id options:

0.680436 192.168.1.102 -> 192.168.1.1  ICMP Echo (ping) request
0.681045 192.168.1.102 -> 192.168.1.1  IGMP V1 Membership Query
0.681305 192.168.1.102 -> 192.168.1.1  IP [Malformed Packet]
0.684463  192.168.1.1 -> 192.168.1.102 ICMP Echo (ping) reply

Reverse DNS

While not the most accurate method, performing rDNS queries on a range of IP addresses is by far the stealthiest host discovery method. NMap's List Scan is particularly useful in this case.

External Links

• ICMP Parameters