Secrets of Magic Called “Ping”

August 27, 2015 | Views: 3948

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Many…no, all (yeah, I’m an optimist) administrators know what Ping is. They also know about its usage.

Basic usage of the Ping utility is for discovering and reaching devices in network.

Let’s sum up what we already know about Ping. If it says us “unreachable,” we did something wrong or we’re derailed thanks to a firewall preventing us from pinging our target. Also, Ping is limits the number of hops and packet sizes we send. This is something all of us know.

So, let’s make another step forward. There are many types of Ping (as protocols, not tools). We know 3 basic types of Ping protocols: TCP (the default one), ICMP (pretty the same as TCP) and UDP.

 

TCP Ping

The basic type of ping. It uses TCP transport for any desired address we give it. Nothing much to talk about.

 

ICMP ping

I know, I wrote it’s “almost” the same as TCP Ping, but not really. This is very difficult to explain. TCP is IP protocol 6 and ICMP is IP protocol 1. So, yes, it’s not the same in basic.

However, from the user side, it acts the same way as TCP ping. ICMP is not protocol that knows timeouts or any delivery acknowledgements. It’s more designated like UDP, but not meant to transport any data.

We talk about simple request and response behavior. So, one can easily get in touch with “icmp echo request” and “icmp echo reply” statements, for example in a firewall configuration.

Example (from my firewall configuration):

ACCEPT     icmp —  anywhere             anywhere             icmp echo-request

or: -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT

 

As you can see, there’s “icmp-type 8” defined, which means we want to accept and reply for any echo requests.

All codes are available here: http://www.nthelp.com/icmp.html

By looking at the names, ICMP protocol is used as a separate “tool?” purposed mainly by active network devices like routers, switches and so on.

 

UDP Ping

Now, this is interesting and its’ the main part I want to focus on. One can ask: “What? UDP Ping? WTH?”

Those reactions are normal. UDP transport is something we rarely use in administration. Many users and admins want to know if their transport is successful. UDP is not the best way for this, But, still, there’s UDP Ping and is used very often.

UDP Ping uses UDP frames to communicate. Most of other Ping types use TCP frames. UDP Ping is here for us when we want to locate an active device through firewalls that other ping types might not discover.

UDP Ping is some kind of “hack” in basic; the way it works is pretty simple. UDP Ping sends one UDP frame to the host. After receiving the ICMP answer: “ICMP Port Unreachable, “we won and we know the device is alive.

Example:

[192.168.0.5] [192.168.0.3] UDP: D=31338 S=42560  LEN=8

[192.168.0.3] [192.168.0.5] ICMP: Destination unreachable (Port unreachable)

If we get no answer, we can assume the device is really unavailable. The trick lays in the usage. As many UDP applications are made to not send any answer (why should they, right?), if we probe an open UDP port, we can get no answer even if the target is alive.

Therefore, we try to UDP Ping a closed port instead. The most simple way is to use any high number port (they’re often closed and unused).

The main disadvantage of UDP Ping is it relies on ICMP. If ICMP answers from targets are filtered, there will be no answer to our Ping.

When should you use UDP ping? Again, simple answer. When you run out of all other options, if TCP ping is blocked or the host is hidden behind a firewall that filters open ports.

As it’s an advanced and uncommon tool, it also uses really uncommon scenarios. But, it’s good to know about this option.

 

Thanks and I hope this was useful to you.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
11 Comments
  1. Good Info to know!!

  2. awesome info …… keep up the good work

    hey PJAYS just write an article explaining your insight instead of a book response thanks

  3. very nice share..thanks!

  4. Good stuff but a few things, servers and any secure system will block and not allow ICMP requests. That does not mean a machine is down it just means it blocks those requests. Using a tool like nmap will skip the ping and just do a half or full connect TCP scan to see if the machine is alive and what ports and services are running on the machine. Most firewalls and IDS’s will almost always block ICMP and all sorts of ping requests which is why it is better to use a tool that uses all protocols as well as being able to have the ability to set the different flags in the packets to return the desired results. Also TCP does not automatically mean its IPv6 Tcp refers to both IPv4 and IPv6. You can also use nmap to get reliable results when scanning systems for both UDP and TCP. Also every machine weather it be a router or a switch or a computer has the ability to respond to pings by default but it can be turned off in any device or by a simple firewall rule. The regular ping command can NOT send tcp packets but a tool like hping is able to craft packets using the tcp protocol.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel