Quartz 4

ICMP

2 min read

ICMP stands for Internet Control Message Protocol. Unlike TCP or UDP, which are used to transport actual user data (like web pages or emails), ICMP is a “supporting” protocol used by network devices to send error messages and operational information.

Think of it as the “diagnostic and feedback” layer of the Internet.

How It Works

ICMP doesn’t use port numbers. Instead, it uses Types and Codes to communicate what is happening on the network.

  • Type: The broad category of the message (e.g., “Destination Unreachable”).

  • Code: The specific detail (e.g., “Port Unreachable” vs. “Network Unreachable”).

Common ICMP Message Types

As you study for your CompTIA PenTest+, you’ll need to recognize these specific types:

TypeNamePurpose
0Echo ReplyThe “Pong”—the response to a ping.
3Destination UnreachableThe packet couldn’t be delivered.
5RedirectTells the host to use a different gateway (can be abused in attacks).
8Echo RequestThe “Ping”—the initial request to see if a host is alive.
11Time ExceededThe packet’s TTL (Time to Live) hit 0 (used by Traceroute).

CMP in Penetration Testing

In your Linux lab, you’ll use ICMP constantly for reconnaissance and troubleshooting.

1. Host Discovery (Ping)

The simplest way to see if a target is “up” is an ICMP Echo Request. ping <target_ip>

2. Traceroute

Traceroute works by intentionally sending packets with low TTL values. Each router along the path drops the packet and sends back an ICMP Type 11 (Time Exceeded) message, allowing you to map the path to the target.

3. ICMP Scanning in Nmap

By default, Nmap performs an ICMP ping sweep before scanning ports to see if the host is active. nmap -sn 192.168.1.0/24

4. Reconnaissance Challenges

Many modern firewalls block ICMP to stay “hidden.” This is why a host might be alive even if it doesn’t respond to a ping. In your lab, you can bypass this in Nmap by using the -Pn flag, which tells Nmap to skip the ICMP check and assume the host is up.

Security Risks: ICMP Attacks

  • Ping of Death: Sending an oversized ICMP packet to crash a system (mostly mitigated in modern OS).

  • ICMP Flood: A DoS attack that overwhelms a target with Echo Requests.

  • ICMP Tunneling: Hiding actual data (like a shell or stolen files) inside the data portion of an ICMP packet to bypass firewalls that only look for TCP/UDP traffic. #protocol reconnaissance

Graph View

Backlinks