The relationship between UDP port scanning and ICMP Unlike TCP, UDP is a stateless protocol. It was designed for speed in an era where reliability couldn’t always be guaranteed. Effectively, UDP is mostly designed to be used for applications that care more whether or not a packet is sent than whether or not it is received. This presents a problem. If a host continuously sends UDP datagrams to a system that isn’t even listening, it could saturate a link.
Firstly, the Internet of Wrongs is a term I coined to describe the intersection of poorly built hardware designed for malicious purposes. None of the things I’m going to show you are particularly brilliant - indeed they’re actually all deliberately crap. However, each of these things I’ve deliberately made to provide an entry level project for a bunch of technologies, in order to highlight how easy it is to get started.
Before we start, I’d like to share a pentester story with you about knocking systems over. It’s a fact of life that software bugs happen, and are often triggered by edge cases never considered by the software’s author. A common edge case is something connecting to a service and disconnecting before the conversation starts, or connecting to a service and sending unexpected input. Unfortunately, port scanning more or less relies on these two edge cases.
Port scanning is the basic foundation of service identification within a TCP/IP network, but is generally associated with network mapping. The most popular tool covered in every single pen testing book you’ll ever read is Nmap. It’s pretty much the de facto standard port scanner. It’s not the only one out there and it’s important to understand port scanning theory so you can remain comfortable in situations where Nmap or an equivalent isn’t available, or at least is misbehaving.
Every now and again when pentesting you come across something that doesn’t quite seem right. You can’t always put your finger on it, it’s just a little… off. Whether it’s a code execution bug that’s a little too easy to exploit, or the demo user account that looks like someone forgot to remove, sometimes vulnerabilities just seem as though they were deliberately placed there, even if it’s for legitimate purposes.
ICMP Address mask messages ICMP can be used to identify a given target host’s IP address mask (also called a subnet mask), which can be useful in distinguishing subnets within an IP address range. This is achieved by sending an ICMP address mask request to our target. Hosts that implement ICMP address mask responses may then respond with an ICMP address mask reply containing the host’s 32-bit subnet mask. Most hosts won’t respond to ICMP address mask messages, but it’s useful to know when they do as this often signifies an older TCP/IP stack in use and might indicate the presence of other vulnerabilities.
Every week or so people ask me about how to get started in penetration testing. I love this question as it gives me the chance to help people get their start. Sometimes I’m messaged on Reddit after contributing to getting started threads. A lot of the time it’s from people who are interested in Breaking In or have signed up for my 30 day email course (and if you haven’t you really should, it’s free).
Many of the network cartography tools and protocols we commonly use are defined through a set of standards called Request For Comments (RFCs). Surprisingly, not all of the tools we take for granted are covered by these. Take the humble traceroute for example. Do you actually know what really happens when Alice tries to trace the route to Bob? Read on to find out. ICMP, UDP, TCP and IP. Oh my!
Not being prepared Whether it’s a product of laziness or just being on back to back gigs for weeks on end, at some point (usually now and again) a pentester goes on-site completely unprepared for the task at hand. Is it unprofessional? Yes, of course. Does it happen? Yes, of course. There are different forms of not being prepared, from simply not running the latest software updates through to the catastrophic situation of having pretty much zero knowledge of the test ahead and none of the equipment.