1SING(8)                     System Manager's Manual                    SING(8)
2
3
4

NAME

6       sing - Send ICMP Nasty Garbage packets to network hosts
7

SYNOPSIS

9       sing [-hVRnvqGQOBU] [-c count] [-T wait] [-p pattern] [-s datasize] [-F
10       bytes] [-i interface] [-S spoof] [-t ttl] [-TOS tos] [-l  preload]  [-M
11       os] [-L logfile] [-MAC hw_addr] [-x code] [type]  host
12

DESCRIPTION

14       sing  is  a  tool that sends ICMP packets fully customized from command
15       line. The main purpose is to replace the niceful ping command with cer‐
16       tain enhancenments as the ability to send/read IP spoofed packets, send
17       MAC spoofed packets, send in addition to the ECHO REQUEST type sent  by
18       default,  many  other  ICMP  types as Echo Reply, Address Mask Request,
19       Timestamp, Information Request,Router Solicitation  and  Router  Adver‐
20       tisement.
21
22       It  supports  also  the  following  ICMP  error types: Redirect, Source
23       Quench, Time Exceeded, Destination Unreachable and Parameter Problem.
24
25       It can do a little fingerprinting, see  the  FINGERPRINTING  TECHNIQUES
26       section to read more details about.
27
28       It can emulate certain OOSS sending Echo Request or Echo Reply packets.
29       See the MIMIC TECHNIQUES section for a more accurate information.
30
31       The host destination can also  be  specified  as  a  list  of  gateways
32       (including  destination) breaked by the '%' symbol meaning the use of a
33       Strict Source Routing IP Option (v.g. router1%router2%router3%host)  or
34       the  '@'  symbol  meaning  the  use of a Loose Source Routing IP Option
35       (v.g. router1@router2@router3@host).
36
37       A long number of examples is given at the EXAMPLES section of this page
38       that shows a real use of this program.
39

MOST COMMON OPTIONS

41       -h, --help
42              Help screen.
43
44       -V, --Version
45              Program version.
46
47       -v     Verbose mode.
48
49       -B     Send a Bad ICMP Checksum on Information types.
50
51       -c count
52              Stop  after  sending  (and receiving) count packets. Information
53              types only.
54
55       -F bytes
56              Fragment the entire ICMP packet with bytes size by fragment. Not
57              used on Solaris systems.
58
59       -G     Set  the IP header Don't Fragment flag. Not used on Solaris sys‐
60              tems.
61
62       -i interface
63              Interface (name or IP address) where listen on for replies.
64
65       -l preload
66              If preload is specified, sing sends that many packets as fast as
67              possible  before falling into its normal mode of behavior.  Only
68              the super-user may use this option. Information types only.
69
70       -L logfile
71              Save the current session to the file logfile. If logfile  exists
72              the data will be appended at end.
73
74       -M os  Do  mimic  of  the  os specified when sending an Echo Request or
75              Echo Reply. os can be  win,  unix,   linux,  cisco,  solaris  or
76              shiva.
77
78       -MAC hw_address
79              Do  MAC spoofing using the MAC hw_address (maybe to surpass fil‐
80              tered switches). Be aware  of  using  on  an  interface  with  a
81              datalink  type different of Ethernet. The MAC address must be on
82              hexadecimal  form  and  must  be  delimited  by  ':'   (Example:
83              00:FF:AC:33:1:B).  This option made use of the libnet library to
84              acces the network link layer. Only the super-user can  use  this
85              option.
86
87       -n     Don't use name resolution.
88
89       -O     Do fingerprinting to discover the target OS.
90
91       -p pattern
92              You  may  specify  a pattern of bytes to fill out the packet you
93              send.  This is useful for diagnosing data-dependent problems  in
94              a network.  For example, `-p INPACK'' will cause the sent packet
95              to be filled with the word INPACK.
96
97       -q     Quiet output.  Nothing is displayed except the summary lines  at
98              startup time and when finished.
99
100       -Q     Totally  quiet output. Absolutly nothing is displayed. Useful to
101              use within shell scripts.
102
103       -R     Use Record Route IP Header Option on the ICMP packet.
104
105       -s bytes|max
106              Number of garbage bytes that will be sent on  any  ICMP  packet.
107              With max the maximum possible will be sent.
108
109       -S address
110              IP  address  to  be  used as the source of the ICMP packet. This
111              force the use of the libpcap routines  that  puts  your  network
112              interface  into promiscuous mode to be able to read the replies.
113              Only the super-user may use this option.
114
115       -t ttl Set the IP Time To Live field to ttl value.
116
117       -T wait
118              Wait wait seconds between sending each packet. The default is to
119              wait for one second between each packet.
120
121       -TOS tos
122              Set the IP Type Of Service field to tos value.
123
124       -U     Set  the  IP  header  Unused  bit flag. Be aware on *BSD systems
125              because the kernel set to 0 the IP header flags when  using  the
126              Reserved  Bit so SING must revert to promiscuous mode to be able
127              to read the response with libpcap. Not used on Solaris systems.
128
129       -x, --xcode code|num|max
130              ICMP code to send. Code code valid for  Destination  Unreachable
131              (-du),  Redirect (-red) and Time Exceeded (-tx) types. Numerical
132              code can be specified for the ICMP types that doesn't have (Echo
133              Request,  Information  Request,  Address  Mask  Request,  Router
134              Solicitation, Router  Advertisement,  Source  Quench,  Parameter
135              Problem  and Timestamp). Using max an ICMP code greater than the
136              admited ones will be sent. See the ICMP CODES section for a long
137              list of code types.
138

ICMP TYPES

140       The type can be any of the following below:
141
142       -echo, --echo_request
143              Echo  Request.  Request sent to a host to receive an echo reply.
144              This is the type sent by default. This ICMP type is information.
145
146       -tstamp, --timestamp
147              Timestamp. Host request to receive the  time  of  another  host.
148              This ICMP type is information.
149
150       -mask, --mask_req
151              Address  Mask  Request.  Used  to  find out a host network mask.
152              This ICMP type is information.
153
154       -info, --info_req
155              Information Request. Host request to receive an Info Reply  from
156              another host.  This ICMP type is information.
157
158       -du, --dest_unreach
159              Destination  Unreach.  IP  packet  couldn't be given.  This ICMP
160              type is error.
161
162       -sq, --src_quench
163              Source Quench. IP packet is not  given  due  a  net  congestion.
164              This ICMP type is error.
165
166       -red, --redirect
167              Redirect.  Request to forward IP packets through another router.
168              This ICMP type is error.
169
170       -rta, --router_advert address[/preference]
171              Router Advertisement. Router trasmits one or more  routers  with
172              address  address and preference preference.  If this is ommited,
173              default preference 0 is given.  This ICMP type is information.
174
175       -rts, --router_solicit
176              Router Solicitation. Host requeriment for a message  of  one  or
177              more  routers.   Like  the  previous,  is a part of the messages
178              exchange Router Discovery and this ICMP type is information.
179
180       -tx, --time_exc
181              Time Exceeded. Time Exceeded for an IP packet.  This  ICMP  type
182              is error.
183
184       -param, --param_problem
185              Parameter  Problem.  Erroneous value on a variable of IP header.
186              This ICMP type is error.
187
188       -reply Echo Reply. Response to a Echo Request. This ICMP type is infor‐
189              mation.
190

LESS COMMON OPTIONS

192       The options can be any of the following:
193
194       -lt, --lifetime secs
195              Lifetime  in seconds of the router announcement. Only valid with
196              Router Advertisement (-rta) type. 1800 seconds by default (30').
197
198       -gw, --gateway address
199              Route gateway address on an ICMP Redirect  (-red).   By  default
200              will be the spoof address (-S), if it has been specified, or the
201              outgoing IP address if it has not been specified.
202
203       -dest, --route_dest address
204              Route destination address on an ICMP Redirect (-red). This is  a
205              required option when sending an ICMP Redirect.
206
207       -orig, --orig_host address
208              Original  host  within  the  IP  header sent in the 64 bits data
209              field of an ICMP error.  By default will be the same as  the  IP
210              of the host that sends the ICMP packet.
211
212       -psrc, --port_src port
213              Source  port  (tcp  or  udp) within the IP header sent in the 64
214              bits data field of an ICMP error. 0 by default.
215
216       -pdst, --port_dst port
217              Destination port (tcp or udp) within the IP header sent  in  the
218              64 bits data field of an ICMP error. 0 by default.
219
220       -prot, --protocol name|number
221              Protocol  to  be  used  within the IP header sent in the 64 bits
222              data field of an ICMP error. Must be a name from the /etc/proto‐
223              cols  or  a  protocol  number.  Only tcp, udp and icmp are fully
224              implemented, with other protocols the remaining of the  64  bits
225              field are fulfilled with 0xFF. TCP by default.
226
227       -id  identificator
228              ICMP  id  to  be  used with ICMP of Information types. Do not be
229              confused with the -ip_id option!.
230
231       -seq sequence
232              Echo sequence number to be used with Echo Request or Echo  Reply
233              types. Do not be confused with the -ip_seq option!.
234
235       -ip_id  identificator
236              Echo identificator within the IP header sent in the 64 bits data
237              field of an ICMP error when the IP header  protocol  of  the  64
238              bits data field (-prot) is icmp. 0 by default.
239
240       -ip_seq  sequence
241              Echo  sequence  number  within the IP header sent in the 64 bits
242              data field of an ICMP error when the IP header protocol  of  the
243              64 bits data field (-prot) is icmp. 0 by default.
244
245       -ptr, --pointer byte
246              Pointer to erroneus byte byte on an ICMP packet showing a param‐
247              eter problem.  Valid only on Parameter Problem type (-param).
248

ICMP CODES

250       Valid codes used with Destination Unreach, Redirect and  Time  Exceeded
251       types are,
252
253       - Used with Destination Unreach type (-du):
254
255       net-unreach (Net Unreachable) The destination net is unreachable.
256
257       host-unreach (Host Unreachable) The destination host is unreachable.
258
259       prot-unreach  (Protocol Unreachable) desired protocol is unreachable to
260       destination host.
261
262       port-unreach (Port Unreachable) desired port is unreachable to destina‐
263       tion host.
264
265       frag-needed  (Fragmentation  Needed  and  Don't Fragment was Set) Shows
266       that IP packet had to be fragmented because of its size but the  sender
267       did not allowed it because the DF (DON'T FRAGMENT) flag was set.
268
269       sroute-fail  (Source  Route Failed) could'nt follow the route indicated
270       on IP packet.
271
272       net-unknown  (Destination  Network  Unknown)  Destination  network   is
273       unknown.
274
275       host-unknown  (Destination  Host  Unknown) Destination host unknown but
276       network is.
277
278       host-isolated (Source Host Isolated) Can't reach destination host.
279
280       net-ano (Communication with  Destination  Network  is  Administratively
281       Prohibited)  access  network  is  denied through firewall or similar on
282       receiver side.
283
284       host-ano (Communication with Destination Host is Administratively  Pro‐
285       hibited)  access host is denied through firewall or similar on receiver
286       side.
287
288       net-unr-tos (Destination Network Unreachable for Type of Service) indi‐
289       cates on destination network that the Type Of Service (TOS) applied for
290       is not allowed.
291
292       host-unr-tos (Destination Host Unreachable for Type of  Service)  shows
293       that destination host is unreachable with applied TOS.
294
295       com-admin-prohib  (Communication  Administratively Prohibited) a router
296       can't forward a packet because of administrative filter.
297
298       host-precedence-viol (Host Precedence Violation) IP  packet  precedence
299       is not allowed.
300
301       precedence-cutoff  (Precedence  cutoff  in  effect) a smaller IP packet
302       precedence has tried to be sent over the minimal  impossed  by  network
303       manager.
304
305
306       - To be used with Redirect type (-red):
307
308       net  (Redirect  Datagram  for  the Network) shows that destination is a
309       network.
310
311       host (Redirect Datagram for the Host) shows that destination is a host.
312
313       serv-net (Redirect Datagram for the Type Of Service and Network) desti‐
314       nation is a type of service and network.
315
316       serv-host (Redirect Datagram for the Type Of Service and Host) destina‐
317       tion is a type of service and host.
318
319       and
320
321       - to be used with Time Exceeded type (-tx):
322
323       ttl (Time to Live exceeded in Transit) time is over  on  an  IP  packet
324       header packet.
325
326       frag  (Fragment  Reassembly Time Exceeded) could not reassembly all the
327       IP packet fragments.
328
329
330

FINGERPRINTING TECHNIQUES

332       With the -O option SING can use little techniques of remote OS  finger‐
333       printing.   To  distinguish  between  Window$ boxes and the rest of the
334       world Ofir Arkin has discovered a simple method: Sending an  ICMP  code
335       that is not 0 within an ICMP Echo Request, a Window$ box respond with a
336       0 code while  the  rest  of  the  boxes  would  leave  the  code  field
337       unchanged. See the SEE ALSO section.
338
339       With  Solaris  systems  SING  use  a method discovered by me: Sending a
340       fragmented Addres Mask Request any Solaris system (tested from 2.5.1 to
341       Solaris8  Intel  &  SPARC)  respond  with an Address Mask of 0's.  Last
342       update!: Some people have noticed that HP-UX  v11.0  respond  the  same
343       way.
344
345       See the EXAMPLES section for examples.
346
347
348

MIMIC TECHNIQUES

350       With  the  -M  option SING can try to emulate certain OS. At the moment
351       Window$98/Window$NT4 (win  value),  UNIX  (unix  value),  Linux  (linux
352       value),  Cisco  (cisco  value), Solaris (solaris value) or Shiva (shiva
353       value) are the only accepted values. To emulate them SING  changes  its
354       normal  behaviour  about the IP header flags, the TTL, the initial ICMP
355       sequence number, the ICMP id and the ICMP data that each OS send. These
356       techniques are aplied only when using Echo Request or Echo Reply types.
357
358
359

RETURN VALUES

361       sing can be easily used within shell scripts.  Program returns the fol‐
362       lowing values to the shell:
363
364       Value  Meaning
365       -----  -----------
366       0      Received at least 1 response from destination host.
367       1      General Error.
368       2      Packet sent OK but received no response.
369       3      Out of memory.
370
371

EXAMPLES

373       - Testing if www.solarisbox.xx is running the Solaris OS.  Supposed  no
374       filter methods:
375
376       sing -mask -O  www.solarisbox.xx
377
378
379       - Testing if www.winbox.xx is running the Window$ OS:
380
381       sing -O  www.winbox.xx
382
383
384       -  Send Echos with garbage size of 32 bytes and fragments of 8 bytes to
385       host www.provatina.xx:
386
387       sing -s 32 -F 8 www.provatina.xx
388
389
390       - Send Echos with data pattern IsSiNg and fragments of 8 bytes  to  the
391       host  www.provatina.xx  using  Loose  Source Routing via router1.xx and
392       router2.xx:
393
394       sing -p IsSiNg -F 8 router1.xx@router2.xx@www.provatina.xx
395
396
397       - Send an ICMP packet Timestamp to host  sepultura.hell.  We  spoof  as
398       host 10.2.3.1:
399
400       sing -tstamp -S 10.2.3.1 sepultura.hell
401
402
403       - Send an ICMP packet Router Solicitation to 10.13.1.0:
404
405       sing -rts  10.13.1.0
406
407
408       -  Send  an ICMP Router Advertisement to host death.es, saying that the
409       routers to use are: router1.xtc with preference  20,  router2.xtc  with
410       preference  50 and router3.xtc with default preference (0). We spoof as
411       fatherouter.xtc:
412
413       sing -rta router1.xtc/20 -rta router2.xtc/50 -rta router3.xtc -S  fath‐
414       erouter.xtc death.es
415
416
417       - In response to a packet send with TCP source port 100 and destination
418       on port 90, we want to send and ICMP Redirect to  dwdwah.xx  to  modify
419       its  routing table with the following data: 10.12.12.12 as a gateway to
420       the host death.es masking the packet source as  if  it  was  sent  from
421       infect.comx host:
422
423       sing  -red  -S infect.comx -gw 10.12.12.12 -dest death.es -x host -prot
424       tcp -psrc 100 -pdst 90 dwdwah.xx
425
426
427       - In response to an ICMP packet Echo Request sent with Echo Request  id
428       100  and Echo Request sequence number 90, we want to send an ICMP Redi‐
429       rect to the host araya.xx to modify its routing table with the  follow‐
430       ing data: the host pizza.death as a gateway to the host death.es, mask‐
431       ing the packet source as if it was sent from infect.comx host.
432
433       sing -red -S infect.comx -gw pizza.death -dest death.es -x  host  -prot
434       icmp -ip_id 100 -ip_seq 90 araya.xx
435
436
437       -  We  want  to  send  an  ICMP  packet Destination Unreach to the host
438       10.2.3.4 saying that our TCP port number 20 connected with its TCP port
439       2100, is unreachable.  We mask ourselves as host 10.1.1.1:
440
441       sing  -du  -S  10.1.1.1  -x  port-unreach -prot tcp -psrc 2100 -pdst 20
442       10.2.3.4
443
444
445       - We want to send an ICMP packet Destination Unreach to  host  10.2.3.4
446       saying  that  the host inferno.hell and its TCP port 69, connected with
447       his  port  TCP  666  in  unreachable.  We  mask  ourselves  as  gateway
448       router.comx:
449
450       sing  -du  -S  router.comx -x host-unreach -prot tcp -psrc 666 -pdst 69
451       -orig inferno.hell 10.2.3.4
452
453
454       - We want to send a packet ICMP Source Quench  to  host  ldg02.hell  in
455       response to a packet destinated to host ldg00 with UDP protocol, source
456       port 100 and  destination  port  200.  We  mask  ourselves  as  gateway
457       10.10.10.1:
458
459       sing  -sq  -S  10.10.10.1  -prot  udp  -psrc  100 -pdst 200 -orig ldg00
460       ldg02.hell
461
462
463       - We want to send an ICMP packet Time Exceeded to  host  ldg02.hell  in
464       response to a packet destinated to host ldg00 with UDP protocol, source
465       port 100 and destination port 200. We mask as gateway ldg04.hell:
466
467       sing -tx -S ldg04.hell -x frag -prot udp  -psrc  100  -pdst  200  -orig
468       ldg00 ldg02.hell
469
470
471       -  We want to send an ICMP packet Address Mask Request and wait 10 sec‐
472       onds between sending each  packet.  We  mask  the  packet  with  source
473       address of 10.2.3.4 and we send it to the address 10.0.1.255:
474
475       sing -mask -S 10.2.3.4 -T 10 10.0.1.255
476
477
478       - We want to send an ICMP packet Information Request to host deep.hell:
479
480       sing -info  deep.hell
481
482
483       -  We  want to send an ICMP packet Echo Request to host black.hell with
484       the data pattern 'MyNameIsGump':
485
486       sing -p MyNameIsGump black.hell
487
488
489       - We want to send ICMP packet Echo Request to 10.12.0.255 with the fol‐
490       lowing  data  pattern:  D  E  A T H (blanks included). We will mask the
491       source address as 192.168.0.255:
492
493       sing -S 192.168.0.255 -p 'D E A T H' 10.12.0.255
494
495
496       - We want to send an ICMP packet Destination Unreach to  host  destina‐
497       tion.death  but  sending  it with an ICMP code bigger to the legal ones
498       adding also 60K of garbage data:
499
500       sing -du -x max -s 60000 destination.death
501
502
503       - We send an ICMP Parameter Problem to host misery.es saying  that  the
504       packet  sent  from the host dump.xorg with udp protocol, source port 13
505       and destination port 53, has an error on the IP header byte 13. We will
506       also add all garbage bytes as possible:
507
508       sing  -S  dump.xorg  -param -ptr 13 -prot udp -psrc 13 -pdest 53 -s max
509       misery.es
510
511
512       - We want to send an ICMP packet Timestamp to host  www.danz.hell  with
513       code 38 instead of code (0) as usual:
514
515       sing -tstamp -x 38 www.danz.hell
516
517       -  Same as above without code 38 and using Loose Source Routing between
518       the routers cisco, 10.13.1.1 and wakeup.man:
519
520       sing -tstamp cisco@10.13.1.1@wakeup.man@www.danz.hell
521
522       - Same as above using Strict Source Routing between the gateways:
523
524       sing -tstamp cisco%10.13.1.1%wakeup.man%www.danz.hell
525
526       - Using Record Route IP Option to see the route that takes to  ftp.tar‐
527       get.xx:
528
529       sing -R ftp.target.xx
530
531
532

SEE ALSO

534       Postel,  John, "Internet Control Message Protocol - DARPA Internet Pro‐
535       gram Protocol Specification", RFC 792, USC/Information Sciences  Insti‐
536       tute, September 1981.
537
538       Mogul,  Jeffrey  and  John Postel, "Internet Standard Subnetting Proce‐
539       dure", RFC 950, Stanford, USC/Information  Sciences  Institute,  August
540       1985.
541
542       Braden,  Robert,  "Requeriments for Internet Hosts - Communication Lay‐
543       ers", RFC 1122, USC/Information Sciences Institute, October 1989.
544
545       Deering, Stephen, "ICMP Router Discovery  Messages",  RFC  1256,  Xerox
546       PARC, September 1991.
547
548       Baker,  Fred,  "Requeriments for IP Version 4 Routers", RFC 1812, Cisco
549       Systems, June 1995.
550
551       Arkin, Ofir, "ICMP usage in scanning",  http://www.sys-security.com/ar
552       chive/papers/ICMP_Scanning.pdf, Sys-Security Group, July 2000.
553
554       The  Linux source code, everything referent to network code and to ICMP
555       protocol.
556
557

AUTHOR

559       The original ping command was written by Mike Muuss.
560
561       sing is original from Alfredo Andres Omella, Slay <aandres@s21sec.com>
562
563
564
565sing v1.1                $Date: 2001/02/13 10:51:31 $                  SING(8)
Impressum