CAPEC-316 - ICMP Fingerprinting Probes

An attacker engages in ICMP stack fingerprinting techniques to determine the operating system type and version of a remote target. The role of ICMP as an ubiquitous diagnostic messaging protocol means that ICMP fingerprinting techniques are applicable to almost any internet host in a similar manner as TCP. ICMP fingerprinting techniques involve the generation of ICMP messages and analyzing the responses. This method is limited in that most firewalls are configured to block ICMP messages for security reasons, so it is most effective when used on an internal network segment. OS fingerprints using ICMP usually involve multiple different probes as the information returned from any one probe is usually insufficient to support a reliable OS inference.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Scopes 2
  • "Varies by context"
  • Confidentiality
  • Hide activities
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • Confidentiality

The ability to generate and analyze ICMP messages from a target. In cases where certain message types are blocked by a firewall, the reliability of ICMP fingerprinting declines sharply.