GPL (GNU General Public License)    
Icmpenum sends ICMP traffic to potential targets on a network.




Icmpenum sends ICMP traffic to potential targets on a network.


Host enumeration is the act of determining the IP address of potential targets on a network. This can be done in both layer 2 and layer 3. Icmpenum sends ICMP traffic for such enumeration. The ICMP packets supported are: Echo, Timestamp, Information and Netmask. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks which allow ICMP traffic.


1. Install the latest libpcap (libpcap 0.4, ftp://ftp.ee.lbl.gov/libpcap.tar.Z).

2. Install the latest Libnet (http://www.packetfactory.net/libnet/).

3. Compile icmpenum as follows:

gcc `libnet-config --defines` -o icmpenum icmpenum.c -lnet -lpcap

4. Copy icmpenum to your fave directory and (as root) start enumerating.


Running icmpenum -h gives you the following screen:

# ./icmpenum -h
USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts
opts are h n p r v
-h this help screen
-n no sending of packets
-p promiscuous receive mode
-r receiving packets only (no
-v verbose
-c class C in x.x.x.0 form
-i icmp type to send/receive, types include the following:
1 echo/echo reply (default)
2 timestamp request/reply
3 info request/reply
-d device to grab local IP or sniff from, default is eth0
-s spoofed source address
-t time in seconds to wait for all replies (default 5)
host(s) are target hosts (ignored if using -c)


Here are some example uses of icmpenum to enumerate hosts.

Example 1:

[Host1]# icmpenum

This will use the default of Echo packets to try and determine if and are up and running.

Example 2:

[Host1]# icmpenum -i 2 -v

This will enumerate the two hosts using Timestamp packets in
verbose mode.

Example 3:

[Host1]# icmpenum -i 3 -s -p -v

This will enumerate hosts and using
Information packets with a spoofed address of, since our real address is we use the -p option to listen for the replies.

Here are some more advanced uses of icmpenum.

Example 4:

Assuming Host1 is and Host2 is, and that the network has potential hosts to enumerate, we use the following two entries to enumerate with Information packets:

[Host2]# icmpenum -r -t 30 -i 3 -c

[Host1]# icmpenum -s -i 3 -c

Host2 starts first in receive mode with a timeout of 30 seconds and starts listening for Information packets from the network. Then Host1 starts sending spoofed packets with Host2 as the source address, sending exactly what Host2 is listening for. It should be noted that this is hardly stealthy, as logs at 1.1.1's site could have's address all over them, but the -r function is good for testing.

Example 5:

Assuming Host1 is and Host2 is, and that Host2 can sniff traffic between and, we use the following entries to enumerate the network:

[Host2]# icmpenum -t 20 -n -p -i 2 -c

[Host1]# icmpenum -s -i 2 -c

Host2 starts first with a timeout of 20 seconds, makes sure not to send the packets with the -n option, listens promiscuously for Timestamp packets from the network. Host1 sends the exact packets Host2 is listening for with a spoofed source address. Yes, one could simply replace the -n option in Host2's command line with -s and do the same thing from one workstation, but we're demonstrating a distributed concept.

What's New in This Release:

I have added ICMP MASK (type 17 and 18) requests and replys. Simply use the -i 4 option on the command line, such as; icmpenum -i 4 -c (sends ICMP MASK requests to the Class C range and reports any system as.
Due to the use of some older versions of Libnet and Libpcap. I can see problems for some people compiling this and hence have placed two statically linked versions within the tarball
Last updated on April 5th, 2007

0 User reviews so far.