.

ICMP scan

<<

deviltaz

Newbie
Newbie

Posts: 3

Joined: Mon Apr 18, 2011 3:38 pm

Post Wed Apr 20, 2011 8:50 pm

ICMP scan

Let's say hypothetically, I was connected to a wireless network at a local restaurant/coffee establishment.  And the IP address assigned to my device was 10.0.0.20.  And hypothetically, I fired up Nmap and ran an ICMP scan against 10.0.0.0/24.  The only hosts alive were my device and the AP.  Let's say the place was packed, and more than 1/2 the folks had laptops, there should be more than two hosts that would answer a ping, correct?  (Let's say most of the folks were connected to the wireless network).  Angry IP Scanner produced the same results.

thanks
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Apr 20, 2011 8:53 pm

Re: ICMP scan

I'm pretty sure that certain WAPs allow you to configure the device so that clients aren't able to see other clients.  I believe I read about this in some Cisco WAP documentation, but I'm unable to remember the specific model to quote it.

**EDIT**
Found it: http://www.cisco.com/en/US/docs/wireles ... _Guide.pdf

To prevent wireless computers associated to the same SSID from seeing and transferring files between each other, in the Wireless Isolation (within SSID) field, click Enabled.


You may be experiencing a similar configuration.
Last edited by lorddicranius on Wed Apr 20, 2011 9:23 pm, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Apr 20, 2011 10:51 pm

Re: ICMP scan

*Hypothetically*

I'd try another method than ICMP to find hosts nearby. Maybe ARP...maybe NBNS....maybe a TCP SYN scan to TCP/139 or TCP/445.

Or, just fire up Wireshark and see who's broadcasting.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Thu Apr 21, 2011 3:32 am

Re: ICMP scan

As Ziggy_567 said, do an ARP scan

According to the IPv4 module machines have to respond to ARP requests.

The problem with ICMP is that it can be blocked just like ports whereas ARP should never be blocked inside of a network.  ARP can't travel beyond a router but locally should work just fine.

~TheXero
<<

deviltaz

Newbie
Newbie

Posts: 3

Joined: Mon Apr 18, 2011 3:38 pm

Post Thu Apr 21, 2011 10:11 pm

Re: ICMP scan

Thanks!  Appreciate the feedback.
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Apr 21, 2011 11:58 pm

Re: ICMP scan

Good points ziggy and TheXero.  I wonder now, how does that Cisco config work?  I wonder how it implements that "wireless isolation."
GSEC, eCPPT, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat May 07, 2011 11:37 am

Re: ICMP scan

lorddicranius wrote:Good points ziggy and TheXero.  I wonder now, how does that Cisco config work?  I wonder how it implements that "wireless isolation."


It's analogous to VLANs.
The day you stop learning is the day you start becoming obsolete.
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Sat May 07, 2011 1:36 pm

Re: ICMP scan

dynamik wrote:
lorddicranius wrote:Good points ziggy and TheXero.  I wonder now, how does that Cisco config work?  I wonder how it implements that "wireless isolation."


It's analogous to VLANs.


I haven't even had time to ponder this thought lol.  Thanks dynamik :)
GSEC, eCPPT, Sec+

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software