What is ICMP address mask scanning and how is it used

0 votes
ICMP address mask requests can reveal subnet information. How is this technique used by attackers during network discovery?
May 2 in Cyber Security & Ethical Hacking by Anupam
• 17,300 points 46 views

1 answer to this question.

0 votes

ICMP Address Mask Scanning is a network reconnaissance technique that leverages the Internet Control Message Protocol (ICMP) to gather subnet information from target hosts. By sending ICMP Type 17 (Address Mask Request) messages, an attacker can prompt a host to respond with its subnet mask via an ICMP Type 18 (Address Mask Reply) message. This information aids attackers in mapping the network's structure and identifying potential targets.

How Attackers Use ICMP Address Mask Scanning?

  1. Subnet Discovery
    By obtaining the subnet mask from a host, attackers can determine the size of the subnet and identify the range of IP addresses within it. This knowledge enables them to focus their scanning efforts on active subnets, increasing the efficiency of their reconnaissance activities.

  2. Bypassing ICMP Echo Restrictions
    Some networks block ICMP Echo Requests (Type 8) to prevent standard ping scans. However, they may still respond to Address Mask Requests. Attackers exploit this by using ICMP Address Mask Scanning as an alternative method to discover live hosts within the network.

  3. Network Topology Mapping
    Gathering subnet masks from multiple hosts allows attackers to infer the network's topology, including the segmentation and hierarchy of subnets. This information is crucial for planning targeted attacks and identifying critical network infrastructure.

  4. Operating System Fingerprinting
    The behavior of hosts in response to ICMP Address Mask Requests can provide clues about their operating systems. For instance, some systems may not respond to such requests, while others do, allowing attackers to make educated guesses about the OS in use.

Mitigation Strategies

To protect against ICMP Address Mask Scanning:

  • Disable ICMP Type 17 and 18 Messages: Configure network devices and hosts to ignore or block ICMP Address Mask Requests and Replies.

  • Implement Firewall Rules: Set up firewalls to filter out unnecessary ICMP traffic, especially uncommon types like Address Mask Requests.

  • Monitor Network Traffic: Use intrusion detection systems (IDS) to detect and alert on unusual ICMP traffic patterns that may indicate scanning activities.

  • Regularly Update Systems: Ensure all network devices and hosts are up-to-date with the latest security patches to mitigate known vulnerabilities.

Example Command

Using Nmap, a network scanning tool, an attacker can perform an ICMP Address Mask Scan with the following command:

nmap -sn -PM <target IP range>

This command sends ICMP Address Mask Requests to the specified IP range to identify responsive hosts and gather subnet information.

Understanding and mitigating ICMP Address Mask Scanning is essential for maintaining network security and preventing unauthorized reconnaissance activities.

answered May 2 by CaLLmeDaDDY
 • 31,260 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

What is PTR record scanning, and how does it work?

​PTR (Pointer) record scanning is a technique ...READ MORE

answered Apr 25 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 79 views
0 votes
1 answer

What is TCP window size scanning, and how does it detect OS?

TCP Window Size Scanning is a technique ...READ MORE

answered May 2 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 75 views
0 votes
1 answer

What is a DNS server and how to check whether it is configured or not?

A DNS server is used to enable a machine to ...READ MORE

answered Mar 22, 2019 in Cyber Security & Ethical Hacking by Priyaj
 • 58,020 points 1,802 views
0 votes
0 answers

What is the role of DNSSEC in footprinting, and how can I query it programmatically?

Oct 11, 2024 in Cyber Security & Ethical Hacking by Anupam
• 17,300 points 240 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 955 views
+1 vote
1 answer

How does the LIMIT clause in SQL queries lead to injection attacks?

The LIMIT clause in SQL can indeed ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 580 views
+1 vote
1 answer

Is it safe to use string concatenation for dynamic SQL queries in Python with psycopg2?

The use of string concatenation while building ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 419 views
+1 vote
1 answer

How can I use Python for web scraping to gather information during reconnaissance?

Python is considered to be an excellent ...READ MORE

answered Oct 17, 2024 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 367 views
0 votes
1 answer

What is NULL scanning, and how is it used?

​A NULL scan is a network reconnaissance ...READ MORE

answered Apr 14 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 112 views
0 votes
1 answer

What is TCP Connect scanning, and when is it used?

​TCP Connect scanning is a fundamental port ...READ MORE

answered Apr 15 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
 • 31,260 points 74 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.