Dark Mode

Settings

Capec-331 Detail

ICMP IP Total Length Field Probe

Detailed Software Likelihood: Medium Typical Severity: Low

Parents: 312

Threats: T60 T80 T258 T288 T291 T302 T334 T392 T407

Description

An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.

Extended Description

RFC1122 specifies that the Header of the request must be echoed back when an error is sent in response, but some operating systems and firmware alter the integrity of the original header. Non-standard ICMP/IP implementations result in response that are useful for individuating remote operating system or router firmware versions. There are four general response types that can be used to distinguish operating systems apart: 1) the IP total length field may be calculated correctly, 2) an operating system may add 20 or more additional bytes to the length calculation, 3) the operating system may subtract 20 or more bytes from the correct length of the field or 4) the IP total length field is calculated with any other incorrect value.
External ID Source Link Description
CAPEC-331 capec https://capec.mitre.org/data/definitions/331.html
CWE-204 cwe http://cwe.mitre.org/data/definitions/204.html
REF-33 reference_from_CAPEC Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill
REF-123 reference_from_CAPEC http://www.faqs.org/rfcs/rfc792.html J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)
REF-124 reference_from_CAPEC http://www.faqs.org/rfcs/rfc1122.html R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10
REF-262 reference_from_CAPEC http://ofirarkin.files.wordpress.com/2008/11/login.pdf Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group

Not present

  1. The ability to monitor and interact with network communications. Access to at least one host, and the privileges to interface with the network interface card.
  1. A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, "Port Unreachable."

Not present

Authorization Access Control Confidentiality
Bypass Protection Mechanism Bypass Protection Mechanism Read Data
Hide Activities Hide Activities Bypass Protection Mechanism
Hide Activities

Not present

We use cookies to ensure you get the best experience on our website.