I. Introduction
ICMP is a command we often use in network detection and troubleshooting. This article will use six scenarios to simulate in detail the common network problems in the icmp protocol.
2. Detailed explanation of the scene
2.1. Send ICMP timestamp request
ICMP timestamp requests allow a system to query another system for the current time, but without the date. The suggested value returned is the time since midnight (UTC). The ICMP timestamp request and response message formats are shown in Figure 1.
When sending an ICMP timestamp request, the requester fills in the initiation timestamp and then sends the message. The response system fills in the receiving time stamp when receiving the request message, and fills in the sending time stamp when sending the response. In the interactive process of request and response, when the type value in the ICMP message is 13 and the value is 0, the data packet is an ICMP timestamp request packet; when the type value in the ICMP message is 14 and the value is 0 , the packet is an ICMP timestamp reply packet. The tool provides a module numbered 81 for constructing timestamp requests.
Send an ICMP timestamp request to the target host 192.168.59.135 to detect the time of data packet transmission.
1) Send an ICMP timestamp request, execute the command as follows:
root@daxueba:~# netwox 81 -i 192.168.59.135
0 0 #输出信息表示目标可达,如果目标不可达,将显示信息如下:
No answer.
2) You can verify that the timestamp request is successfully sent by capturing packets, as shown in Figure 2. Among them, the sixth data packet is an ICMP timestamp request. In the Control Message Protocol section, the Type value is 13 and the Code value is 0, indicating that the data packet is an ICMP timestamp request. The value of Originate timestamp indicates the starting time of the data packet initiation, here is 0 seconds (0:00 midnight at midnight); the value of Receive timestamp indicates the time of receiving the data packet, here is 0 seconds; the value of Transmit timestamp indicates the sending of the data packet Time, here is 0 seconds. The time is 0 seconds because it is counted from midnight.
ICMP Timestamp Reply:
2.2. Forged request timeout ICMP packet
During the process of transmitting IP datagrams on the network, if the TTL value of the IP datagram gradually decreases to 0, the datagram needs to be discarded. At this time, an ICMP timeout message needs to be sent to the source sender, indicating that the transmission timed out. In the timeout ICMP packet message, the type value is 11 and the value is 0. Users can forge request timeout ICMP packets through the module numbered 83 in the tool.
It is known that A's is 192.168.59.134, B's is 192.168.59.135, and the request timeout ICMP packet is forged on C.
1) To ping B on A, execute the command as follows:
root@daxueba:~# ping 192.168.59.135
PING 192.168.59.135 (192.168.59.135) 56(84) bytes of data.
64 bytes from 192.168.59.135: icmp_seq=1 ttl=64 time=0.447 ms
64 bytes from 192.168.59.135: icmp_seq=2 ttl=64 time=0.468 ms
64 bytes from 192.168.59.135: icmp_seq=3 ttl=64 time=0.773 ms
64 bytes from 192.168.59.135: icmp_seq=4 ttl=64 time=0.307 ms
The above output indicates that host B is reachable and gives the time of transmission. For example, time=0.447ms means that the time needs to be 0.447 milliseconds.
2) Forge a request timeout ICMP packet on C, set the source to 192.168.59.135, and execute the command as follows:
root@daxueba:~# netwox 83 -i 192.168.59.135
After executing the command, there is no output information, but the request timeout ICMP packet is successfully forged.
3) Ping B on A again, execute the command as follows:
root@daxueba:~# ping 192.168.59.135
PING 192.168.59.135 (192.168.59.135) 56(84) bytes of data.
64 bytes from 192.168.59.135: icmp_seq=6 ttl=64 time=0.336 ms
From 192.168.59.135 icmp_seq=6 Time to live exceeded
64 bytes from 192.168.59.135: icmp_seq=7 ttl=64 time=0.532 ms
From 192.168.59.135 icmp_seq=7 Time to live exceeded
64 bytes from 192.168.59.135: icmp_seq=8 ttl=64 time=0.495 ms
From 192.168.59.135 icmp_seq=8 Time to live exceeded
From the above output information, we can see that A sent a ping request to 192.168.59.135. Some requests did not receive a response message, but the Time to live exceeded message was displayed, indicating that the time was exceeded.
4) In order to verify the forged request timeout ICMP packet, you can view it by capturing the packet, as shown in Figure 4, several ICMP timeout packets were captured. Among them, the source of the third data packet is 192.168.59.134, and the destination is 192.168.59.135, which is an ICMP request packet sent by A to B; the source of the fifth data packet is 192.168.59.135, and the destination is 192.168.59.134, and the Info column shows Time-to-live exceeded indicates that the time has expired, indicating that the data packet is a forged request time-out ICMP packet.
5) Select the fifth data package to view the package information, as shown in Figure 5. In the Internet Control Message Protocol part of the data packet, the Type value is 11, and the Code value is 0, indicating that the data packet is a request timeout ICMP data packet.
2.3. Forged targets are unreachable
The target unreachable packet means that when the IP data packet cannot be sent to the target address, an ICMP message indicating that the target is unreachable will be returned to the sender. In the Destination Unreachable message, the type value is 3 and the value is 1. Forging such packets requires the use of module number 82 in the tool.
It is known that A's is 192.168.59.134, B's is 192.168.59.135, and Destination Unreachable ICMP packets are forged on C.
1) Forge the target unreachable ICMP packet on C, set the source to 192.168.59.135, and execute the command as follows:
root@daxueba:~# netwox 82 -i 192.168.59.135
If there is no output information after executing the command, it means that the target host unreachable ICMP packet has been forged successfully.
2) To ping B on A, execute the command as follows:
root@daxueba:~# ping 192.168.59.135
PING 192.168.59.135 (192.168.59.135) 56(84) bytes of data.
64 bytes from 192.168.59.135: icmp_seq=1 ttl=64 time=3.95 ms
From 192.168.59.135 icmp_seq=1 Destination Host Unreachable
64 bytes from 192.168.59.135: icmp_seq=2 ttl=64 time=0.608 ms
From 192.168.59.135 icmp_seq=2 Destination Host Unreachable
64 bytes from 192.168.59.135: icmp_seq=3 ttl=64 time=0.341 ms
From 192.168.59.135 icmp_seq=3 Destination Host Unreachable
64 bytes from 192.168.59.135: icmp_seq=4 ttl=64 time=0.499 ms
From 192.168.59.135 icmp_seq=4 Destination Host Unreachable
From the above output information, we can see that A sent a ping request to 192.168.59.135, but some of the requests did not get response information, but the Destination Host Unreachable information was displayed, indicating that the destination was unreachable.
3) In order to verify the fake target unreachable ICMP packets, you can use packet capture to view, as shown in Figure 6, several ICMP packets are captured. Among them, the source of the third data packet is 192.168.59.134, the destination is 192.168.59.135, which is the ICMP request packet sent by A to B; the source of the fifth data packet is 192.168.59.135, the destination is 192.168.59.134, and the Info column The displayed Destination unreachable(Host unreachable) indicates that the destination is unreachable, indicating that the data packet is a forged destination unreachable ICMP data packet.
4) Select the fifth data package to view the package information, as shown in Figure 7. In the Internet Control Message Protocol part of the data packet, the Type value is 3 and the Code value is 1, indicating that the data packet is a destination unreachable ICMP data packet.
2.4. Forged parameter error ICMP data packet
When or processing a datagram, it is found that the packet has to be discarded due to an incorrect parameter in the packet header, and a parameter error packet needs to be sent to the source sender. In this message, the type value is 12 and the value is 0. Forging such packets requires the use of module number 84 in the tool.
It is known that A's is 192.168.59.134, B's is 192.168.59.135, and ICMP packets with wrong parameters are forged on C.
1) Forge an ICMP packet with incorrect parameters on C, set the source to 192.168.59.135, and execute the command as follows:
root@daxueba:~# netwox 82 -i 192.168.59.135
After executing the command, there is no output information, but the parameter error ICMP packet will be forged.
2) To ping B on A, execute the command as follows:
root@daxueba:~# ping 192.168.59.135
PING 192.168.59.135 (192.168.59.135) 56(84) bytes of data.
64 bytes from 192.168.59.135: icmp_seq=1 ttl=64 time=11.1 ms
From 192.168.59.135 icmp_seq=1 Parameter problem: pointer = 0
64 bytes from 192.168.59.135: icmp_seq=2 ttl=64 time=0.546 ms
From 192.168.59.135 icmp_seq=2 Parameter problem: pointer = 0
64 bytes from 192.168.59.135: icmp_seq=3 ttl=64 time=0.453 ms
From 192.168.59.135 icmp_seq=3 Parameter problem: pointer = 0
From the output information, we can see that A sent a ping request to 192.168.59.135, but some of the requests did not get response information, but the Parameter problem information was displayed, indicating that the parameter was wrong.
3) By capturing data packets, verify the fake ICMP data packets with wrong parameters, as shown in Figure 8, several ICMP data packets are captured. The source of the first data packet is 192.168.59.134, and the destination is 192.168.59.135, which is an ICMP request packet sent by A to B; the source of the third data packet is 192.168.59.135, and the destination is 192.168.59.134, which is displayed in the Info column Parameter problem indicates a parameter error, indicating that the data packet is a forged parameter error ICMP data packet.
4) Select the third data package to view the package information, as shown in Figure 9. In the Internet Control Message Protocol section, the Type value is 12 and the Code value is 0, indicating that the data packet is an ICMP data packet with wrong parameters.
2.5. Counterfeit source station suppresses ICMP packets
There will be a buffer queue when processing packets. When the receiving speed of the host is faster than the processing speed, once the maximum buffer queue is exceeded, the host will not be able to process it, so it chooses to discard the packet. At this time, the host will send an ICMP source station suppression message to the source sender, telling the other party that the cache queue is full, and the request will be made later. In this type of message, the type value is 4 and the code value is 0. Forging such packets requires the use of module No. 85 in the netwox tool.
It is known that A's is 192.168.59.134, and B's is 192.168.59.135. Fake source on C to suppress ICMP packets.
1) Forge the source station on C to suppress ICMP packets, set the source to 192.168.59.135, and execute the command as follows:
root@daxueba:~# netwox 85 -i 192.168.59.135
There is no output information after executing the command, but the source station is successfully forged to suppress ICMP packets.
2) To ping B on A, execute the command as follows:
root@daxueba:~# ping 192.168.59.135
PING 192.168.59.135 (192.168.59.135) 56(84) bytes of data.
64 bytes from 192.168.59.135: icmp_seq=1 ttl=64 time=1.77 ms
From 192.168.59.135: icmp_seq=1 Source Quench
64 bytes from 192.168.59.135: icmp_seq=2 ttl=64 time=0.429 ms
From 192.168.59.135: icmp_seq=2 Source Quench
64 bytes from 192.168.59.135: icmp_seq=3 ttl=64 time=18.8 ms
From 192.168.59.135: icmp_seq=3 Source Quench
From the output information, we can see that A sent a ping request to 192.168.59.135, but some of the requests did not get response information, but the Source Quench information was displayed, indicating that the source site was suppressed.
3) By capturing the data packets, verify the ICMP data packets suppressed by the fake source station, as shown in Figure 10. Several ICMP packets were captured, among which, the source of the fourth packet was 192.168.59.134, and the destination was 192.168.59.135, which was an ICMP request packet sent by A to B; the source of the sixth packet was 192.168.59.135, The destination is 192.168.59.134, and the Source Quench displayed in the Info column indicates source station suppression, indicating that the packet is a forged source station suppression ICMP packet.
4) Select the sixth data package to view the package information, as shown in Figure 11. In the Internet Control Message Protocol section, the Type value is 4 and the Code value is 0, indicating that the packet is an ICMP packet suppressed by the source station.
2.6. Fake and redirect ICMP packets
When the router receives an IP datagram and finds that the destination address of the datagram does not exist in the routing table, it sends an ICMP redirect message to the source sender to remind it that the received address does not exist and needs to be resent to other addresses for further processing. find. In this type of message, the type value is 5 and the value is 0. Forging this type of packet requires the use of module number 86 in the tool.
It is known that the IP address of host A is 192.168.59.132, and the host where the netwox tool resides is 192.168.59.135. Attack on host A based on the host where netwox is located. In order to prevent the target host from discovering the source of the attack, the source IP address of the forged data packet is 192.168.59.136, and the gateway of the target host is modified to other hosts in the network segment, so that the data packets sent by the target host are redirected to this host. Specific steps are as follows:
1) View the gateway of target A. On target A, send a ping request to www.qq.com. Check the gateway information by capturing data packets, as shown in Figure 12. Frames 2 and 3 in the figure are protocol query packets, which query www.qq.com information through the gateway. It can be judged from this that the gateway of the target is 192.168.59.2.
2) Send a redirection packet to the target, set the source to 192.168.59.136, redirect the packet sent by the target to 192.168.59.131, execute the command as follows:
root@daxueba:~# netwox 86 -g 192.168.59.131 -c 1 -i 192.168.59.136
Executing the command produces no output.
3) Send a ping request to www.qq.com on the target host, execute the command as follows:
root@daxueba:~# ping www.qq.com
PING https.qq.com (125.39.52.26) 56(84) bytes of data.
64 bytes from no-data (125.39.52.26): icmp_seq=1 ttl=128 time=25.6 ms
From localhost (192.168.59.136): icmp_seq=1 Redirect Host(New nexthop:localhost (192.168.59.131))
From localhost (192.168.59.136): icmp_seq=2 Redirect Host(New nexthop:localhost (192.168.59.131))
64 bytes from no-data (125.39.52.26): icmp_seq=2 ttl=128 time=25.2 ms
From localhost (192.168.59.136): icmp_seq=3 Redirect Host(New nexthop:localhost (192.168.59.131))
64 bytes from no-data (125.39.52.26): icmp_seq=3 ttl=128 time=27.1 ms
64 bytes from no-data (125.39.52.26): icmp_seq=4 ttl=128 time=25.5 ms
From localhost (192.168.59.136): icmp_seq=4 Redirect Host(New nexthop:localhost (192.168.59.131))
In the above output information, 64 bytes from no-data(125.39.52.26): icmp_seq=1 ttl=128 time=25.6 ms means that the ping request was successfully sent to the target www.qq.com; From localhost(192.168.59.136): icmp_seq= 1 Redirect Host (New nexthop: localhost (192.168.59.131)) indicates a forged redirection ICMP packet, the source is 192.168.59.136, and Redirect Host indicates that the target has been redirected to 192.168.59.131.
4) Capture packets on the target, verify redirected packets, as shown in Figure 13. Among them, the source of the 11th frame is 192.168.59.136 (the set source), the target is 192.168.59.132 (the set target), and the Redirect (Redirect for host) in the Info column indicates that the data packet is a redirection data packet. In the Control Message Protocol section, the Type value is 5 and the Code value is 1, indicating that the data packet is a redirected data packet; Gateway address: 192.168.59.131 indicates that the gateway is redirected to 192.168.59.131.
5) Select frame 13 to view the redirection information of the gateway, as shown in Figure 14. The source of frame 13 is 192.168.59.136 (the source of the setting), and the destination is 192.168.59.2 (the gateway of destination A). This packet is also a redirected packet. In the Control Message Protocol section, Gateway address: 192.168.59.131 indicates that the gateway of target A has been modified to 192.168.59.131.
3. ICMP type
