Sanning Beyond IDS and Firewall

Checking for Live Systems – ICMP Scanning 

  • Ping scan involves sending ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply.
  • This scan is useful for locating active devices or determining if ICMP is passing through a firewall

Ping Sweep

  • Ping sweep is used to determine the live hosts from a range of IP addresses by sending ICMP ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply.
  • Attackers calculate subnet masks using Subnet Mask Calculators to identify the number of hosts present in the subnet.
  • Attackers then use ping sweep to create an inventory of live systems in the subnet.
Type Name mean
0 Echo Reply is a response message
3 Destination Unreachable Indicates that the destination is unreachable
8 Echo request response message
11 Time Exeeded for a Datagram When a data packet times oout in some  routing phenomenon inform the source that the packet has been ignored

In ICMP usage, different categories use different codes to describe specific conditions. Take Type 3 ( Distination Unreachable ) as an example, the code under it is as follows:

  • 0: Network Unreachable
  • 1: Host Unreachable
  • 2: Protocol Unreachable
  • 3: Port Unreachable
  • 9: Communication with Destination Network is Administratively Prohibited
  • 10: Communication with Destination Host is Administratively Prohibited
  • 13: Communication Administratively Prohibited (blocked)

Type 11 code:

  • 0: Time to Live exceeded in Transit
  • 1: Fragment Reassembly Time Exceeded 

Ping Sweep Tools

  • Angry IP Scanner pings each IP address to check if it’s alive, then optionally resolves its hostname, determines the MAC address, scans ports, etc.
  • SolarWinds Engineer Toolset’s Ping Sweep enables scanning a range of IP addresses to identify which IP addresses are in use and which ones are currently free. It also performs reverse DNS lookup.

