1SING(8) System Manager's Manual SING(8)
2
6 sing - Send ICMP Nasty Garbage packets to network hosts
7
9 sing [-hVRnvqGQOBU] [-c count] [-T wait] [-p pattern] [-s datasize] [-F
10 bytes] [-i interface] [-S spoof] [-t ttl] [-TOS tos] [-l preload] [-M
11 os] [-L logfile] [-MAC hw_addr] [-x code] [type] host
12
14 sing is a tool that sends ICMP packets fully customized from command
15 line. The main purpose is to replace the niceful ping command with cer‐
16 tain enhancenments as the ability to send/read IP spoofed packets, send
17 MAC spoofed packets, send in addition to the ECHO REQUEST type sent by
18 default, many other ICMP types as Echo Reply, Address Mask Request,
19 Timestamp, Information Request,Router Solicitation and Router Adver‐
20 tisement.
21 It supports also the following ICMP error types: Redirect, Source
23 Quench, Time Exceeded, Destination Unreachable and Parameter Problem.
24 It can do a little fingerprinting, see the FINGERPRINTING TECHNIQUES
26 section to read more details about.
27 It can emulate certain OOSS sending Echo Request or Echo Reply packets.
29 See the MIMIC TECHNIQUES section for a more accurate information.
30 The host destination can also be specified as a list of gateways
32 (including destination) breaked by the '%' symbol meaning the use of a
33 Strict Source Routing IP Option (v.g. router1%router2%router3%host) or
34 the '@' symbol meaning the use of a Loose Source Routing IP Option
35 (v.g. router1@router2@router3@host).
36 A long number of examples is given at the EXAMPLES section of this page
38 that shows a real use of this program.
39
41 -h, --help
42 Help screen.
43 -V, --Version
45 Program version.
46 -v Verbose mode.
48 -B Send a Bad ICMP Checksum on Information types.
50 -c count
52 Stop after sending (and receiving) count packets. Information
53 types only.
54 -F bytes
56 Fragment the entire ICMP packet with bytes size by fragment. Not
57 used on Solaris systems.
58 -G Set the IP header Don't Fragment flag. Not used on Solaris sys‐
60 tems.
61 -i interface
63 Interface (name or IP address) where listen on for replies.
64 -l preload
66 If preload is specified, sing sends that many packets as fast as
67 possible before falling into its normal mode of behavior. Only
68 the super-user may use this option. Information types only.
69 -L logfile
71 Save the current session to the file logfile. If logfile exists
72 the data will be appended at end.
73 -M os Do mimic of the os specified when sending an Echo Request or
75 Echo Reply. os can be win, unix, linux, cisco, solaris or
76 shiva.
77 -MAC hw_address
79 Do MAC spoofing using the MAC hw_address (maybe to surpass fil‐
80 tered switches). Be aware of using on an interface with a
81 datalink type different of Ethernet. The MAC address must be on
82 hexadecimal form and must be delimited by ':' (Example:
83 00:FF:AC:33:1:B). This option made use of the libnet library to
84 acces the network link layer. Only the super-user can use this
85 option.
86 -n Don't use name resolution.
88 -O Do fingerprinting to discover the target OS.
90 -p pattern
92 You may specify a pattern of bytes to fill out the packet you
93 send. This is useful for diagnosing data-dependent problems in
94 a network. For example, `-p INPACK'' will cause the sent packet
95 to be filled with the word INPACK.
96 -q Quiet output. Nothing is displayed except the summary lines at
98 startup time and when finished.
99 -Q Totally quiet output. Absolutly nothing is displayed. Useful to
101 use within shell scripts.
102 -R Use Record Route IP Header Option on the ICMP packet.
104 -s bytes|max
106 Number of garbage bytes that will be sent on any ICMP packet.
107 With max the maximum possible will be sent.
108 -S address
110 IP address to be used as the source of the ICMP packet. This
111 force the use of the libpcap routines that puts your network
112 interface into promiscuous mode to be able to read the replies.
113 Only the super-user may use this option.
114 -t ttl Set the IP Time To Live field to ttl value.
116 -T wait
118 Wait wait seconds between sending each packet. The default is to
119 wait for one second between each packet.
120 -TOS tos
122 Set the IP Type Of Service field to tos value.
123 -U Set the IP header Unused bit flag. Be aware on *BSD systems
125 because the kernel set to 0 the IP header flags when using the
126 Reserved Bit so SING must revert to promiscuous mode to be able
127 to read the response with libpcap. Not used on Solaris systems.
128 -x, --xcode code|num|max
130 ICMP code to send. Code code valid for Destination Unreachable
131 (-du), Redirect (-red) and Time Exceeded (-tx) types. Numerical
132 code can be specified for the ICMP types that doesn't have (Echo
133 Request, Information Request, Address Mask Request, Router
134 Solicitation, Router Advertisement, Source Quench, Parameter
135 Problem and Timestamp). Using max an ICMP code greater than the
136 admited ones will be sent. See the ICMP CODES section for a long
137 list of code types.
138
140 The type can be any of the following below:
141 -echo, --echo_request
143 Echo Request. Request sent to a host to receive an echo reply.
144 This is the type sent by default. This ICMP type is information.
145 -tstamp, --timestamp
147 Timestamp. Host request to receive the time of another host.
148 This ICMP type is information.
149 -mask, --mask_req
151 Address Mask Request. Used to find out a host network mask.
152 This ICMP type is information.
153 -info, --info_req
155 Information Request. Host request to receive an Info Reply from
156 another host. This ICMP type is information.
157 -du, --dest_unreach
159 Destination Unreach. IP packet couldn't be given. This ICMP
160 type is error.
161 -sq, --src_quench
163 Source Quench. IP packet is not given due a net congestion.
164 This ICMP type is error.
165 -red, --redirect
167 Redirect. Request to forward IP packets through another router.
168 This ICMP type is error.
169 -rta, --router_advert address[/preference]
171 Router Advertisement. Router trasmits one or more routers with
172 address address and preference preference. If this is ommited,
173 default preference 0 is given. This ICMP type is information.
174 -rts, --router_solicit
176 Router Solicitation. Host requeriment for a message of one or
177 more routers. Like the previous, is a part of the messages
178 exchange Router Discovery and this ICMP type is information.
179 -tx, --time_exc
181 Time Exceeded. Time Exceeded for an IP packet. This ICMP type
182 is error.
183 -param, --param_problem
185 Parameter Problem. Erroneous value on a variable of IP header.
186 This ICMP type is error.
187 -reply Echo Reply. Response to a Echo Request. This ICMP type is infor‐
189 mation.
190
192 The options can be any of the following:
193 -lt, --lifetime secs
195 Lifetime in seconds of the router announcement. Only valid with
196 Router Advertisement (-rta) type. 1800 seconds by default (30').
197 -gw, --gateway address
199 Route gateway address on an ICMP Redirect (-red). By default
200 will be the spoof address (-S), if it has been specified, or the
201 outgoing IP address if it has not been specified.
202 -dest, --route_dest address
204 Route destination address on an ICMP Redirect (-red). This is a
205 required option when sending an ICMP Redirect.
206 -orig, --orig_host address
208 Original host within the IP header sent in the 64 bits data
209 field of an ICMP error. By default will be the same as the IP
210 of the host that sends the ICMP packet.
211 -psrc, --port_src port
213 Source port (tcp or udp) within the IP header sent in the 64
214 bits data field of an ICMP error. 0 by default.
215 -pdst, --port_dst port
217 Destination port (tcp or udp) within the IP header sent in the
218 64 bits data field of an ICMP error. 0 by default.
219 -prot, --protocol name|number
221 Protocol to be used within the IP header sent in the 64 bits
222 data field of an ICMP error. Must be a name from the /etc/proto‐
223 cols or a protocol number. Only tcp, udp and icmp are fully
224 implemented, with other protocols the remaining of the 64 bits
225 field are fulfilled with 0xFF. TCP by default.
226 -id identificator
228 ICMP id to be used with ICMP of Information types. Do not be
229 confused with the -ip_id option!.
230 -seq sequence
232 Echo sequence number to be used with Echo Request or Echo Reply
233 types. Do not be confused with the -ip_seq option!.
234 -ip_id identificator
236 Echo identificator within the IP header sent in the 64 bits data
237 field of an ICMP error when the IP header protocol of the 64
238 bits data field (-prot) is icmp. 0 by default.
239 -ip_seq sequence
241 Echo sequence number within the IP header sent in the 64 bits
242 data field of an ICMP error when the IP header protocol of the
243 64 bits data field (-prot) is icmp. 0 by default.
244 -ptr, --pointer byte
246 Pointer to erroneus byte byte on an ICMP packet showing a param‐
247 eter problem. Valid only on Parameter Problem type (-param).
248
250 Valid codes used with Destination Unreach, Redirect and Time Exceeded
251 types are,
252 - Used with Destination Unreach type (-du):
254 net-unreach (Net Unreachable) The destination net is unreachable.
256 host-unreach (Host Unreachable) The destination host is unreachable.
258 prot-unreach (Protocol Unreachable) desired protocol is unreachable to
260 destination host.
261 port-unreach (Port Unreachable) desired port is unreachable to destina‐
263 tion host.
264 frag-needed (Fragmentation Needed and Don't Fragment was Set) Shows
266 that IP packet had to be fragmented because of its size but the sender
267 did not allowed it because the DF (DON'T FRAGMENT) flag was set.
268 sroute-fail (Source Route Failed) could'nt follow the route indicated
270 on IP packet.
271 net-unknown (Destination Network Unknown) Destination network is
273 unknown.
274 host-unknown (Destination Host Unknown) Destination host unknown but
276 network is.
277 host-isolated (Source Host Isolated) Can't reach destination host.
279 net-ano (Communication with Destination Network is Administratively
281 Prohibited) access network is denied through firewall or similar on
282 receiver side.
283 host-ano (Communication with Destination Host is Administratively Pro‐
285 hibited) access host is denied through firewall or similar on receiver
286 side.
287 net-unr-tos (Destination Network Unreachable for Type of Service) indi‐
289 cates on destination network that the Type Of Service (TOS) applied for
290 is not allowed.
291 host-unr-tos (Destination Host Unreachable for Type of Service) shows
293 that destination host is unreachable with applied TOS.
294 com-admin-prohib (Communication Administratively Prohibited) a router
296 can't forward a packet because of administrative filter.
297 host-precedence-viol (Host Precedence Violation) IP packet precedence
299 is not allowed.
300 precedence-cutoff (Precedence cutoff in effect) a smaller IP packet
302 precedence has tried to be sent over the minimal impossed by network
303 manager.
304 - To be used with Redirect type (-red):
307 net (Redirect Datagram for the Network) shows that destination is a
309 network.
310 host (Redirect Datagram for the Host) shows that destination is a host.
312 serv-net (Redirect Datagram for the Type Of Service and Network) desti‐
314 nation is a type of service and network.
315 serv-host (Redirect Datagram for the Type Of Service and Host) destina‐
317 tion is a type of service and host.
318 and
320 - to be used with Time Exceeded type (-tx):
322 ttl (Time to Live exceeded in Transit) time is over on an IP packet
324 header packet.
325 frag (Fragment Reassembly Time Exceeded) could not reassembly all the
327 IP packet fragments.
328
332 With the -O option SING can use little techniques of remote OS finger‐
333 printing. To distinguish between Window$ boxes and the rest of the
334 world Ofir Arkin has discovered a simple method: Sending an ICMP code
335 that is not 0 within an ICMP Echo Request, a Window$ box respond with a
336 0 code while the rest of the boxes would leave the code field
337 unchanged. See the SEE ALSO section.
338 With Solaris systems SING use a method discovered by me: Sending a
340 fragmented Addres Mask Request any Solaris system (tested from 2.5.1 to
341 Solaris8 Intel & SPARC) respond with an Address Mask of 0's. Last
342 update!: Some people have noticed that HP-UX v11.0 respond the same
343 way.
344 See the EXAMPLES section for examples.
346
350 With the -M option SING can try to emulate certain OS. At the moment
351 Window$98/Window$NT4 (win value), UNIX (unix value), Linux (linux
352 value), Cisco (cisco value), Solaris (solaris value) or Shiva (shiva
353 value) are the only accepted values. To emulate them SING changes its
354 normal behaviour about the IP header flags, the TTL, the initial ICMP
355 sequence number, the ICMP id and the ICMP data that each OS send. These
356 techniques are aplied only when using Echo Request or Echo Reply types.
357
361 sing can be easily used within shell scripts. Program returns the fol‐
362 lowing values to the shell:
363 Value Meaning
365 ----- -----------
366 0 Received at least 1 response from destination host.
367 1 General Error.
368 2 Packet sent OK but received no response.
369 3 Out of memory.
370
373 - Testing if www.solarisbox.xx is running the Solaris OS. Supposed no
374 filter methods:
375 sing -mask -O www.solarisbox.xx
377 - Testing if www.winbox.xx is running the Window$ OS:
380 sing -O www.winbox.xx
382 - Send Echos with garbage size of 32 bytes and fragments of 8 bytes to
385 host www.provatina.xx:
386 sing -s 32 -F 8 www.provatina.xx
388 - Send Echos with data pattern IsSiNg and fragments of 8 bytes to the
391 host www.provatina.xx using Loose Source Routing via router1.xx and
392 router2.xx:
393 sing -p IsSiNg -F 8 router1.xx@router2.xx@www.provatina.xx
395 - Send an ICMP packet Timestamp to host sepultura.hell. We spoof as
398 host 10.2.3.1:
399 sing -tstamp -S 10.2.3.1 sepultura.hell
401 - Send an ICMP packet Router Solicitation to 10.13.1.0:
404 sing -rts 10.13.1.0
406 - Send an ICMP Router Advertisement to host death.es, saying that the
409 routers to use are: router1.xtc with preference 20, router2.xtc with
410 preference 50 and router3.xtc with default preference (0). We spoof as
411 fatherouter.xtc:
412 sing -rta router1.xtc/20 -rta router2.xtc/50 -rta router3.xtc -S fath‐
414 erouter.xtc death.es
415 - In response to a packet send with TCP source port 100 and destination
418 on port 90, we want to send and ICMP Redirect to dwdwah.xx to modify
419 its routing table with the following data: 10.12.12.12 as a gateway to
420 the host death.es masking the packet source as if it was sent from
421 infect.comx host:
422 sing -red -S infect.comx -gw 10.12.12.12 -dest death.es -x host -prot
424 tcp -psrc 100 -pdst 90 dwdwah.xx
425 - In response to an ICMP packet Echo Request sent with Echo Request id
428 100 and Echo Request sequence number 90, we want to send an ICMP Redi‐
429 rect to the host araya.xx to modify its routing table with the follow‐
430 ing data: the host pizza.death as a gateway to the host death.es, mask‐
431 ing the packet source as if it was sent from infect.comx host.
432 sing -red -S infect.comx -gw pizza.death -dest death.es -x host -prot
434 icmp -ip_id 100 -ip_seq 90 araya.xx
435 - We want to send an ICMP packet Destination Unreach to the host
438 10.2.3.4 saying that our TCP port number 20 connected with its TCP port
439 2100, is unreachable. We mask ourselves as host 10.1.1.1:
440 sing -du -S 10.1.1.1 -x port-unreach -prot tcp -psrc 2100 -pdst 20
442 10.2.3.4
443 - We want to send an ICMP packet Destination Unreach to host 10.2.3.4
446 saying that the host inferno.hell and its TCP port 69, connected with
447 his port TCP 666 in unreachable. We mask ourselves as gateway
448 router.comx:
449 sing -du -S router.comx -x host-unreach -prot tcp -psrc 666 -pdst 69
451 -orig inferno.hell 10.2.3.4
452 - We want to send a packet ICMP Source Quench to host ldg02.hell in
455 response to a packet destinated to host ldg00 with UDP protocol, source
456 port 100 and destination port 200. We mask ourselves as gateway
457 10.10.10.1:
458 sing -sq -S 10.10.10.1 -prot udp -psrc 100 -pdst 200 -orig ldg00
460 ldg02.hell
461 - We want to send an ICMP packet Time Exceeded to host ldg02.hell in
464 response to a packet destinated to host ldg00 with UDP protocol, source
465 port 100 and destination port 200. We mask as gateway ldg04.hell:
466 sing -tx -S ldg04.hell -x frag -prot udp -psrc 100 -pdst 200 -orig
468 ldg00 ldg02.hell
469 - We want to send an ICMP packet Address Mask Request and wait 10 sec‐
472 onds between sending each packet. We mask the packet with source
473 address of 10.2.3.4 and we send it to the address 10.0.1.255:
474 sing -mask -S 10.2.3.4 -T 10 10.0.1.255
476 - We want to send an ICMP packet Information Request to host deep.hell:
479 sing -info deep.hell
481 - We want to send an ICMP packet Echo Request to host black.hell with
484 the data pattern 'MyNameIsGump':
485 sing -p MyNameIsGump black.hell
487 - We want to send ICMP packet Echo Request to 10.12.0.255 with the fol‐
490 lowing data pattern: D E A T H (blanks included). We will mask the
491 source address as 192.168.0.255:
492 sing -S 192.168.0.255 -p 'D E A T H' 10.12.0.255
494 - We want to send an ICMP packet Destination Unreach to host destina‐
497 tion.death but sending it with an ICMP code bigger to the legal ones
498 adding also 60K of garbage data:
499 sing -du -x max -s 60000 destination.death
501 - We send an ICMP Parameter Problem to host misery.es saying that the
504 packet sent from the host dump.xorg with udp protocol, source port 13
505 and destination port 53, has an error on the IP header byte 13. We will
506 also add all garbage bytes as possible:
507 sing -S dump.xorg -param -ptr 13 -prot udp -psrc 13 -pdest 53 -s max
509 misery.es
510 - We want to send an ICMP packet Timestamp to host www.danz.hell with
513 code 38 instead of code (0) as usual:
514 sing -tstamp -x 38 www.danz.hell
516 - Same as above without code 38 and using Loose Source Routing between
518 the routers cisco, 10.13.1.1 and wakeup.man:
519 sing -tstamp cisco@10.13.1.1@wakeup.man@www.danz.hell
521 - Same as above using Strict Source Routing between the gateways:
523 sing -tstamp cisco%10.13.1.1%wakeup.man%www.danz.hell
525 - Using Record Route IP Option to see the route that takes to ftp.tar‐
527 get.xx:
528 sing -R ftp.target.xx
530
534 Postel, John, "Internet Control Message Protocol - DARPA Internet Pro‐
535 gram Protocol Specification", RFC 792, USC/Information Sciences Insti‐
536 tute, September 1981.
537 Mogul, Jeffrey and John Postel, "Internet Standard Subnetting Proce‐
539 dure", RFC 950, Stanford, USC/Information Sciences Institute, August
540 1985.
541 Braden, Robert, "Requeriments for Internet Hosts - Communication Lay‐
543 ers", RFC 1122, USC/Information Sciences Institute, October 1989.
544 Deering, Stephen, "ICMP Router Discovery Messages", RFC 1256, Xerox
546 PARC, September 1991.
547 Baker, Fred, "Requeriments for IP Version 4 Routers", RFC 1812, Cisco
549 Systems, June 1995.
550 Arkin, Ofir, "ICMP usage in scanning", http://www.sys-security.com/ar‐
552 chive/papers/ICMP_Scanning.pdf, Sys-Security Group, July 2000.
553 The Linux source code, everything referent to network code and to ICMP
555 protocol.
556
559 The original ping command was written by Mike Muuss.
560 sing is original from Alfredo Andres Omella, Slay <aandres@s21sec.com>
562sing v1.1 $Date: 2001/02/13 10:51:31 $ SING(8)