Icmpenun v 1.2

I have added ICMP MASK (type 17 and 18) requests and replys. 
Simply  use the -i 4 option on the command line, such as;
icmpenum -i 4 -c 1.2.3.1 (sends ICMP MASK requests to the 
Class C range 1.2.3.1/24 and reports any system as 


Due to the use of some older versions of Libnet and Libpcap 
I can see problems for some people compiling this and hence 
have placed two statically linked versions within the tarball

Doc

Portcullis Computer Security Ltd.
----------------------------------------------------------------
Icmpenum v 1.1

Simple Nomad

RAZOR Sr. Security Analyst
BindView Corporation
<thegnome@razor.bindview.com>

Chief Gray Hat 
Nomad Mobile Research Centre
<thegnome@nmrc.org>

Host enumeration is the act of determining the IP address of potential
targets on a network. Icmpenum uses not only ICMP Echo packets to probe
networks, but also ICMP Timestamp and ICMP Information packets as well.
Furthermore, it supports spoofing and promiscuous listening for reply
packets. Icmpenum is great for enumerating networks who block ICMP Echo
packets but have failed to block Timestamp or Information packet, or
for upstream sniffing of trusted addresses.

This is a proof-of-concept tool to demonstrate possible distributed
attacking concepts, such as sending packets from one workstation and
sniffing the reply packets on another.


Installation
------------

1. Install the latest libpcap (libpcap 0.4, ftp://ftp.ee.lbl.gov/libpcap.tar.Z).

2. Install the latest Libnet (http://www.packetfactory.net/libnet/).

3. Compile icmpenum as follows:

   gcc `libnet-config --defines` -o icmpenum icmpenum.c -lnet -lpcap

4. Copy icmpenum to your fave directory and (as root) start enumerating.


Usage
-----

Running icmpenum -h gives you the following screen:

# ./icmpenum -h
USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts
  opts are h n p r v
    -h this help screen
    -n no sending of packets
    -p promiscuous receive mode
    -r receiving packets only (no
    -v verbose
  -c class C in x.x.x.0 form
  -i icmp type to send/receive, types include the following:
       1  echo/echo reply (default)
       2  timestamp request/reply
       3  info request/reply
  -d device to grab local IP or sniff from, default is eth0
  -s spoofed source address
  -t time in seconds to wait for all replies (default 5)
  host(s) are target hosts (ignored if using -c)


Examples
--------

Here are some example uses of icmpenum to enumerate hosts.

Example 1:

 [Host1]# icmpenum 192.168.1.1 192.168.1.2

  This will use the default of Echo packets to try and determine if
  192.168.1.1 and 192.168.1.2 are up and running.

Example 2:

 [Host1]# icmpenum -i 2 -v 192.168.100.100 192.168.100.200

  This will enumerate the two hosts using Timestamp packets in
  verbose mode.

Example 3:

 [Host1]# icmpenum -i 3 -s 10.10.10.10 -p -v 192.168.1.1 192.168.1.2

  This will enumerate hosts 192.168.1.1 and 192.168.1.2 using
  Information packets with a spoofed address of 10.10.10.10, since
  our real address is 10.10.10.11 we use the -p option to listen
  for the replies.

Here are some more advanced uses of icmpenum.

Example 4:

 Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that the network
 1.1.1.0 has potential hosts to enumerate, we use the following two 
 entries to enumerate with Information packets:

 [Host2]# icmpenum -r -t 30 -i 3 -c 1.1.1.0

 [Host1]# icmpenum -s 7.7.7.7 -i 3 -c 1.1.1.0

  Host2 starts first in receive mode with a timeout of 30 seconds
  and starts listening for Information packets from the 1.1.1.0
  network. Then Host1 starts sending spoofed packets with Host2 as 
  the source address, sending exactly what Host2 is listening for. 
  It should be noted that this is hardly stealthy, as logs at 1.1.1's
  site could have 7.7.7.7's address all over them, but the -r 
  function is good for testing.

Example 5:

 Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that Host2 can
 sniff traffic between 1.1.1.0 and 2.2.2.0, we use the following
 entries to enumerate the 1.1.1.0 network:

 [Host2]# icmpenum -t 20 -n -p -i 2 -c 1.1.1.0

 [Host1]# icmpenum -s 2.2.2.2 -i 2 -c 1.1.1.0

  Host2 starts first with a timeout of 20 seconds, makes sure not
  to send the packets with the -n option, listens promiscuously for
  Timestamp packets from the 1.1.1.0 network. Host1 sends the
  exact packets Host2 is listening for with a 2.2.2.2 spoofed source 
  address. Yes, one could simply replace the -n option in Host2's
  command line with -s 2.2.2.2 and do the same thing from one
  workstation, but we're demonstrating a distributed concept.


Additional Comments
-------------------

As stated, this demonstrates distributed host enumeration. The code
actually works, and can be used for both good and evil purposes.
Both admins testing their networks and bad guys probing will find
uses for icmpenum. For example, the verbose mode will not only 
report the total number of expected packets received (when in a 
receiving mode), but also "unexpected" ICMP packets going to the 
addresses being targeted. If countermeasures are in place to "probe
the prober", these packets could show up in the "unexpected" count.
If you're testing your countermeasures, you can determine if they
are working. If you're a black hat, you've possibly been detected.
If fact, you get a couple of expected packets back the first volley
yet no packets after that on repeated vollies to the same addresses,
you might have tripped an intrusion detection system into shutting
off your spoofed source address. Once again, admins can test their
IDS, and bad guys can counterdetect the IDS in action. In fact,
a really mean bad guy might start forging probes from the target's
business partners and big customers to start a "denial of service".


Closing
-------

Bugs and comments are welcome. Send them to me at thegnome@nmrc.org
(at home) or at thegnome@razor.bindview.com (at work).

Shouts to my fellow BindView RAZOR team homies, for allowing me to
bug them with annoying questions about ICMP and networking, and
providing encouragement and pointers regarding coding.

Simple Nomad
28Jan2000
