Back to my original thought. Was doing some security audits here at work and someone reported that "icmp is open to server X from outside the network." I thought they meant icmp echo(ping). I found that echo is indeed blocked, so they must NOT have meant that. So I remembered that only about 10% of IT people really, actually know their stuff, so I went about trying to reproduce their results.
C:\>nmap -sO X.X.X.X
Starting Nmap 4.60 ( http://insecure.org ) at 2008-04-18 09:56 Eastern Daylight
Interesting protocols on X.X.X.X:
Not shown: 255 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp
And there it was. Nmap reports that icmp is open. There are a bunch of types of icmp other than echo(but echo is by far the most popular ;) ) But why is it reporting icmp as open?
I'm not 100% sure why, but here is my hypothesis:
From http://nmap.org/book/man-port-scanning-techniques.html I know that when doing a UDP scan, the only way to know if a port is closed is if a ICMP Type 3 Code 3 is returned. So I know that if i did a UDP scan and any ports come back "closed" then technically, icmp is "open", since any said closed ports have been noted as closed due to a icmp message from this server.
However, this thought is now fubar'd since a UDP scan returned no closed ports....hmmm. Really, I'm kinda stumped. I need to find a good way to probe all ICMP messages to see whats supported. Cannot find anything on google initially...need to dig a bit more. (nmap does not seem to support icmp "scanning")
Post a Comment