Icmpenum sends ICMP traffic to potential targets on a network.
Host enumeration is the act of determining the IP address of potential targets on a network. This can be done in both layer 2 and layer 3. Icmpenum sends ICMP traffic for such enumeration. The ICMP packets supported are: Echo, Timestamp, Information and Netmask. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks which allow ICMP traffic.
1. Install the latest libpcap (libpcap 0.4, ftp://ftp.ee.lbl.gov/libpcap.tar.Z).
2. Install the latest Libnet (http://www.packetfactory.net/libnet/).
3. Compile icmpenum as follows:
gcc `libnet-config --defines` -o icmpenum icmpenum.c -lnet -lpcap
4. Copy icmpenum to your fave directory and (as root) start enumerating.
Running icmpenum -h gives you the following screen:
# ./icmpenum -h
USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts
opts are h n p r v
-h this help screen
-n no sending of packets
-p promiscuous receive mode
-r receiving packets only (no
-c class C in x.x.x.0 form
-i icmp type to send/receive, types include the following:
1 echo/echo reply (default)
2 timestamp request/reply
3 info request/reply
-d device to grab local IP or sniff from, default is eth0
-s spoofed source address
-t time in seconds to wait for all replies (default 5)
host(s) are target hosts (ignored if using -c)
Here are some example uses of icmpenum to enumerate hosts.
[Host1]# icmpenum 192.168.1.1 192.168.1.2
This will use the default of Echo packets to try and determine if
192.168.1.1 and 192.168.1.2 are up and running.
[Host1]# icmpenum -i 2 -v 192.168.100.100 192.168.100.200
This will enumerate the two hosts using Timestamp packets in
[Host1]# icmpenum -i 3 -s 10.10.10.10 -p -v 192.168.1.1 192.168.1.2
This will enumerate hosts 192.168.1.1 and 192.168.1.2 using
Information packets with a spoofed address of 10.10.10.10, since our real address is 10.10.10.11 we use the -p option to listen for the replies.
Here are some more advanced uses of icmpenum.
Assuming Host1 is 220.127.116.11 and Host2 is 18.104.22.168, and that the network 22.214.171.124 has potential hosts to enumerate, we use the following two entries to enumerate with Information packets:
[Host2]# icmpenum -r -t 30 -i 3 -c 126.96.36.199
[Host1]# icmpenum -s 188.8.131.52 -i 3 -c 184.108.40.206
Host2 starts first in receive mode with a timeout of 30 seconds and starts listening for Information packets from the 220.127.116.11 network. Then Host1 starts sending spoofed packets with Host2 as the source address, sending exactly what Host2 is listening for. It should be noted that this is hardly stealthy, as logs at 1.1.1's site could have 18.104.22.168's address all over them, but the -r function is good for testing.
Assuming Host1 is 22.214.171.124 and Host2 is 126.96.36.199, and that Host2 can sniff traffic between 188.8.131.52 and 184.108.40.206, we use the following entries to enumerate the 220.127.116.11 network:
[Host2]# icmpenum -t 20 -n -p -i 2 -c 18.104.22.168
[Host1]# icmpenum -s 22.214.171.124 -i 2 -c 126.96.36.199
Host2 starts first with a timeout of 20 seconds, makes sure not to send the packets with the -n option, listens promiscuously for Timestamp packets from the 188.8.131.52 network. Host1 sends the exact packets Host2 is listening for with a 184.108.40.206 spoofed source address. Yes, one could simply replace the -n option in Host2's command line with -s 220.127.116.11 and do the same thing from one workstation, but we're demonstrating a distributed concept.
What's New in This Release:
· I have added ICMP MASK (type 17 and 18) requests and replys. Simply use the -i 4 option on the command line, such as; icmpenum -i 4 -c 18.104.22.168 (sends ICMP MASK requests to the Class C range 22.214.171.124/24 and reports any system as.
· Due to the use of some older versions of Libnet and Libpcap. I can see problems for some people compiling this and hence have placed two statically linked versions within the tarball