Provided by: sing_1.1-10_i386 bug

NAME

       sing - Send ICMP Nasty Garbage packets to network hosts

SYNOPSIS

       sing [-hVRnvqGQOBU] [-c count] [-T wait] [-p pattern] [-s datasize] [-F
       bytes] [-i interface] [-S spoof] [-t ttl] [-TOS tos] [-l  preload]  [-M
       os] [-L logfile] [-MAC hw_addr] [-x code] [type]  host

DESCRIPTION

       sing  is  a  tool that sends ICMP packets fully customized from command
       line. The main purpose is to replace  the  niceful  ping  command  with
       certain  enhancenments  as the ability to send/read IP spoofed packets,
       send MAC spoofed packets, send in addition to  the  ECHO  REQUEST  type
       sent  by  default,  many  other  ICMP types as Echo Reply, Address Mask
       Request, Timestamp, Information Request,Router Solicitation and  Router
       Advertisement.

       It  supports  also  the  following  ICMP  error types: Redirect, Source
       Quench, Time Exceeded, Destination Unreachable and Parameter Problem.

       It can do a little fingerprinting, see  the  FINGERPRINTING  TECHNIQUES
       section to read more details about.

       It can emulate certain OOSS sending Echo Request or Echo Reply packets.
       See the MIMIC TECHNIQUES section for a more accurate information.

       The host destination can also  be  specified  as  a  list  of  gateways
       (including  destination) breaked by the ’%’ symbol meaning the use of a
       Strict Source Routing IP Option (v.g. router1%router2%router3%host)  or
       the  ’@’  symbol  meaning  the  use of a Loose Source Routing IP Option
       (v.g. router1@router2@router3@host).

       A long number of examples is given at the EXAMPLES section of this page
       that shows a real use of this program.

MOST COMMON OPTIONS

       -h, --help
              Help screen.

       -V, --Version
              Program version.

       -v     Verbose mode.

       -B     Send a Bad ICMP Checksum on Information types.

       -c count
              Stop  after  sending  (and receiving) count packets. Information
              types only.

       -F bytes
              Fragment the entire ICMP packet with bytes size by fragment. Not
              used on Solaris systems.

       -G     Set  the  IP  header  Don’t  Fragment  flag. Not used on Solaris
              systems.

       -i interface
              Interface (name or IP address) where listen on for replies.

       -l preload
              If preload is specified, sing sends that many packets as fast as
              possible  before falling into its normal mode of behavior.  Only
              the super-user may use this option. Information types only.

       -L logfile
              Save the current session to the file logfile. If logfile  exists
              the data will be appended at end.

       -M os  Do  mimic  of  the  os specified when sending an Echo Request or
              Echo Reply. os can be  win,  unix,   linux,  cisco,  solaris  or
              shiva.

       -MAC hw_address
              Do  MAC  spoofing  using  the  MAC  hw_address (maybe to surpass
              filtered switches). Be aware of using on  an  interface  with  a
              datalink  type different of Ethernet. The MAC address must be on
              hexadecimal  form  and  must  be  delimited  by  ’:’   (Example:
              00:FF:AC:33:1:B).  This option made use of the libnet library to
              acces the network link layer. Only the super-user can  use  this
              option.

       -n     Don’t use name resolution.

       -O     Do fingerprinting to discover the target OS.

       -p pattern
              You  may  specify  a pattern of bytes to fill out the packet you
              send.  This is useful for diagnosing data-dependent problems  in
              a network.  For example, ‘-p INPACK’’ will cause the sent packet
              to be filled with the word INPACK.

       -q     Quiet output.  Nothing is displayed except the summary lines  at
              startup time and when finished.

       -Q     Totally  quiet output. Absolutly nothing is displayed. Useful to
              use within shell scripts.

       -R     Use Record Route IP Header Option on the ICMP packet.

       -s bytes|max
              Number of garbage bytes that will be sent on  any  ICMP  packet.
              With max the maximum possible will be sent.

       -S address
              IP  address  to  be  used as the source of the ICMP packet. This
              force the use of the libpcap routines  that  puts  your  network
              interface  into promiscuous mode to be able to read the replies.
              Only the super-user may use this option.

       -t ttl Set the IP Time To Live field to ttl value.

       -T wait
              Wait wait seconds between sending each packet. The default is to
              wait for one second between each packet.

       -TOS tos
              Set the IP Type Of Service field to tos value.

       -U     Set  the  IP  header  Unused  bit flag. Be aware on *BSD systems
              because the kernel set to 0 the IP header flags when  using  the
              Reserved  Bit so SING must revert to promiscuous mode to be able
              to read the response with libpcap. Not used on Solaris  systems.

       -x, --xcode code|num|max
              ICMP  code  to send. Code code valid for Destination Unreachable
              (-du), Redirect (-red) and Time Exceeded (-tx) types.  Numerical
              code can be specified for the ICMP types that doesn’t have (Echo
              Request,  Information  Request,  Address  Mask  Request,  Router
              Solicitation,  Router  Advertisement,  Source  Quench, Parameter
              Problem and Timestamp). Using max an ICMP code greater than  the
              admited ones will be sent. See the ICMP CODES section for a long
              list of code types.

ICMP TYPES

       The type can be any of the following below:

       -echo, --echo_request
              Echo Request. Request sent to a host to receive an  echo  reply.
              This is the type sent by default. This ICMP type is information.

       -tstamp, --timestamp
              Timestamp. Host request to receive the  time  of  another  host.
              This ICMP type is information.

       -mask, --mask_req
              Address  Mask  Request.  Used  to  find out a host network mask.
              This ICMP type is information.

       -info, --info_req
              Information Request. Host request to receive an Info Reply  from
              another host.  This ICMP type is information.

       -du, --dest_unreach
              Destination  Unreach.  IP  packet  couldn’t be given.  This ICMP
              type is error.

       -sq, --src_quench
              Source Quench. IP packet is not  given  due  a  net  congestion.
              This ICMP type is error.

       -red, --redirect
              Redirect.  Request to forward IP packets through another router.
              This ICMP type is error.

       -rta, --router_advert address[/preference]
              Router Advertisement. Router trasmits one or more  routers  with
              address  address and preference preference.  If this is ommited,
              default preference 0 is given.  This ICMP type is information.

       -rts, --router_solicit
              Router Solicitation. Host requeriment for a message  of  one  or
              more  routers.   Like  the  previous,  is a part of the messages
              exchange Router Discovery and this ICMP type is information.

       -tx, --time_exc
              Time Exceeded. Time Exceeded for an IP packet.  This  ICMP  type
              is error.

       -param, --param_problem
              Parameter  Problem.  Erroneous value on a variable of IP header.
              This ICMP type is error.

       -reply Echo Reply. Response to  a  Echo  Request.  This  ICMP  type  is
              information.

LESS COMMON OPTIONS

       The options can be any of the following:

       -lt, --lifetime secs
              Lifetime  in seconds of the router announcement. Only valid with
              Router Advertisement (-rta) type. 1800 seconds by default (30’).

       -gw, --gateway address
              Route  gateway  address  on an ICMP Redirect (-red).  By default
              will be the spoof address (-S), if it has been specified, or the
              outgoing IP address if it has not been specified.

       -dest, --route_dest address
              Route  destination address on an ICMP Redirect (-red). This is a
              required option when sending an ICMP Redirect.

       -orig, --orig_host address
              Original host within the IP header sent  in  the  64  bits  data
              field  of  an ICMP error.  By default will be the same as the IP
              of the host that sends the ICMP packet.

       -psrc, --port_src port
              Source port (tcp or udp) within the IP header  sent  in  the  64
              bits data field of an ICMP error. 0 by default.

       -pdst, --port_dst port
              Destination  port  (tcp or udp) within the IP header sent in the
              64 bits data field of an ICMP error. 0 by default.

       -prot, --protocol name|number
              Protocol to be used within the IP header sent  in  the  64  bits
              data   field  of  an  ICMP  error.  Must  be  a  name  from  the
              /etc/protocols or a protocol number.  Only tcp, udp and icmp are
              fully  implemented, with other protocols the remaining of the 64
              bits field are fulfilled with 0xFF. TCP by default.

       -id  identificator
              ICMP id to be used with ICMP of Information  types.  Do  not  be
              confused with the -ip_id option!.

       -seq sequence
              Echo  sequence number to be used with Echo Request or Echo Reply
              types. Do not be confused with the -ip_seq option!.

       -ip_id  identificator
              Echo identificator within the IP header sent in the 64 bits data
              field  of  an  ICMP  error when the IP header protocol of the 64
              bits data field (-prot) is icmp. 0 by default.

       -ip_seq  sequence
              Echo sequence number within the IP header sent in  the  64  bits
              data  field  of an ICMP error when the IP header protocol of the
              64 bits data field (-prot) is icmp. 0 by default.

       -ptr, --pointer byte
              Pointer to erroneus byte  byte  on  an  ICMP  packet  showing  a
              parameter   problem.   Valid  only  on  Parameter  Problem  type
              (-param).

ICMP CODES

       Valid codes used with Destination Unreach, Redirect and  Time  Exceeded
       types are,

       - Used with Destination Unreach type (-du):

       net-unreach (Net Unreachable) The destination net is unreachable.

       host-unreach (Host Unreachable) The destination host is unreachable.

       prot-unreach  (Protocol Unreachable) desired protocol is unreachable to
       destination host.

       port-unreach  (Port  Unreachable)  desired  port  is   unreachable   to
       destination host.

       frag-needed  (Fragmentation  Needed  and  Don’t Fragment was Set) Shows
       that IP packet had to be fragmented because of its size but the  sender
       did not allowed it because the DF (DON’T FRAGMENT) flag was set.

       sroute-fail  (Source  Route Failed) could’nt follow the route indicated
       on IP packet.

       net-unknown  (Destination  Network  Unknown)  Destination  network   is
       unknown.

       host-unknown  (Destination  Host  Unknown) Destination host unknown but
       network is.

       host-isolated (Source Host Isolated) Can’t reach destination host.

       net-ano (Communication with  Destination  Network  is  Administratively
       Prohibited)  access  network  is  denied through firewall or similar on
       receiver side.

       host-ano  (Communication  with  Destination  Host  is  Administratively
       Prohibited)  access  host  is  denied  through  firewall  or similar on
       receiver side.

       net-unr-tos (Destination  Network  Unreachable  for  Type  of  Service)
       indicates on destination network that the Type Of Service (TOS) applied
       for is not allowed.

       host-unr-tos (Destination Host Unreachable for Type of  Service)  shows
       that destination host is unreachable with applied TOS.

       com-admin-prohib  (Communication  Administratively Prohibited) a router
       can’t forward a packet because of administrative filter.

       host-precedence-viol (Host Precedence Violation) IP  packet  precedence
       is not allowed.

       precedence-cutoff  (Precedence  cutoff  in  effect) a smaller IP packet
       precedence has tried to be sent over the minimal  impossed  by  network
       manager.

       - To be used with Redirect type (-red):

       net  (Redirect  Datagram  for  the Network) shows that destination is a
       network.

       host (Redirect Datagram for the Host) shows that destination is a host.

       serv-net  (Redirect  Datagram  for  the  Type  Of  Service and Network)
       destination is a type of service and network.

       serv-host  (Redirect  Datagram  for  the  Type  Of  Service  and  Host)
       destination is a type of service and host.

       and

       - to be used with Time Exceeded type (-tx):

       ttl  (Time  to  Live  exceeded in Transit) time is over on an IP packet
       header packet.

       frag (Fragment Reassembly Time Exceeded) could not reassembly  all  the
       IP packet fragments.

FINGERPRINTING TECHNIQUES

       With  the  -O  option  SING  can  use  little  techniques  of remote OS
       fingerprinting.  To distinguish between Window$ boxes and the  rest  of
       the  world  Ofir  Arkin has discovered a simple method: Sending an ICMP
       code that is not 0 within an ICMP Echo Request, a Window$  box  respond
       with  a  0  code while the rest of the boxes would leave the code field
       unchanged. See the SEE ALSO section.

       With Solaris systems SING use a method  discovered  by  me:  Sending  a
       fragmented Addres Mask Request any Solaris system (tested from 2.5.1 to
       Solaris8 Intel & SPARC) respond with an  Address  Mask  of  0’s.   Last
       update!:  Some  people  have  noticed that HP-UX v11.0 respond the same
       way.

       See the EXAMPLES section for examples.

MIMIC TECHNIQUES

       With the -M option SING can try to emulate certain OS.  At  the  moment
       Window$98/Window$NT4  (win  value),  UNIX  (unix  value),  Linux (linux
       value), Cisco (cisco value), Solaris (solaris value)  or  Shiva  (shiva
       value)  are  the only accepted values. To emulate them SING changes its
       normal behaviour about the IP header flags, the TTL, the  initial  ICMP
       sequence number, the ICMP id and the ICMP data that each OS send. These
       techniques are aplied only when using Echo Request or Echo Reply types.

RETURN VALUES

       sing  can  be  easily  used  within shell scripts.  Program returns the
       following values to the shell:

       Value  Meaning
       -----  -----------
       0      Received at least 1 response from destination host.
       1      General Error.
       2      Packet sent OK but received no response.
       3      Out of memory.

EXAMPLES

       - Testing if www.solarisbox.xx is running the Solaris OS.  Supposed  no
       filter methods:

       sing -mask -O  www.solarisbox.xx

       - Testing if www.winbox.xx is running the Window$ OS:

       sing -O  www.winbox.xx

       -  Send Echos with garbage size of 32 bytes and fragments of 8 bytes to
       host www.provatina.xx:

       sing -s 32 -F 8 www.provatina.xx

       - Send Echos with data pattern IsSiNg and fragments of 8 bytes  to  the
       host  www.provatina.xx  using  Loose  Source Routing via router1.xx and
       router2.xx:

       sing -p IsSiNg -F 8 router1.xx@router2.xx@www.provatina.xx

       - Send an ICMP packet Timestamp to host  sepultura.hell.  We  spoof  as
       host 10.2.3.1:

       sing -tstamp -S 10.2.3.1 sepultura.hell

       - Send an ICMP packet Router Solicitation to 10.13.1.0:

       sing -rts  10.13.1.0

       -  Send  an ICMP Router Advertisement to host death.es, saying that the
       routers to use are: router1.xtc with preference  20,  router2.xtc  with
       preference  50 and router3.xtc with default preference (0). We spoof as
       fatherouter.xtc:

       sing  -rta  router1.xtc/20  -rta  router2.xtc/50  -rta  router3.xtc  -S
       fatherouter.xtc death.es

       - In response to a packet send with TCP source port 100 and destination
       on port 90, we want to send and ICMP Redirect to  dwdwah.xx  to  modify
       its  routing table with the following data: 10.12.12.12 as a gateway to
       the host death.es masking the packet source as  if  it  was  sent  from
       infect.comx host:

       sing  -red  -S infect.comx -gw 10.12.12.12 -dest death.es -x host -prot
       tcp -psrc 100 -pdst 90 dwdwah.xx

       - In response to an ICMP packet Echo Request sent with Echo Request  id
       100  and  Echo  Request  sequence  number  90,  we want to send an ICMP
       Redirect to the host araya.xx to modify  its  routing  table  with  the
       following data: the host pizza.death as a gateway to the host death.es,
       masking the packet source as if it was sent from infect.comx host.

       sing -red -S infect.comx -gw pizza.death -dest death.es -x  host  -prot
       icmp -ip_id 100 -ip_seq 90 araya.xx

       -  We  want  to  send  an  ICMP  packet Destination Unreach to the host
       10.2.3.4 saying that our TCP port number 20 connected with its TCP port
       2100, is unreachable.  We mask ourselves as host 10.1.1.1:

       sing  -du  -S  10.1.1.1  -x  port-unreach -prot tcp -psrc 2100 -pdst 20
       10.2.3.4

       - We want to send an ICMP packet Destination Unreach to  host  10.2.3.4
       saying  that  the host inferno.hell and its TCP port 69, connected with
       his  port  TCP  666  in  unreachable.  We  mask  ourselves  as  gateway
       router.comx:

       sing  -du  -S  router.comx -x host-unreach -prot tcp -psrc 666 -pdst 69
       -orig inferno.hell 10.2.3.4

       - We want to send a packet ICMP Source Quench  to  host  ldg02.hell  in
       response to a packet destinated to host ldg00 with UDP protocol, source
       port 100 and  destination  port  200.  We  mask  ourselves  as  gateway
       10.10.10.1:

       sing  -sq  -S  10.10.10.1  -prot  udp  -psrc  100 -pdst 200 -orig ldg00
       ldg02.hell

       - We want to send an ICMP packet Time Exceeded to  host  ldg02.hell  in
       response to a packet destinated to host ldg00 with UDP protocol, source
       port 100 and destination port 200. We mask as gateway ldg04.hell:

       sing -tx -S ldg04.hell -x frag -prot udp  -psrc  100  -pdst  200  -orig
       ldg00 ldg02.hell

       -  We  want  to  send  an  ICMP packet Address Mask Request and wait 10
       seconds between sending each packet. We mask  the  packet  with  source
       address of 10.2.3.4 and we send it to the address 10.0.1.255:

       sing -mask -S 10.2.3.4 -T 10 10.0.1.255

       - We want to send an ICMP packet Information Request to host deep.hell:

       sing -info  deep.hell

       - We want to send an ICMP packet Echo Request to host  black.hell  with
       the data pattern ’MyNameIsGump’:

       sing -p MyNameIsGump black.hell

       -  We  want  to  send  ICMP packet Echo Request to 10.12.0.255 with the
       following data pattern: D E A T H (blanks included). We will  mask  the
       source address as 192.168.0.255:

       sing -S 192.168.0.255 -p ’D E A T H’ 10.12.0.255

       -  We  want  to  send  an  ICMP  packet  Destination  Unreach  to  host
       destination.death but sending it with an ICMP code bigger to the  legal
       ones adding also 60K of garbage data:

       sing -du -x max -s 60000 destination.death

       -  We  send an ICMP Parameter Problem to host misery.es saying that the
       packet sent from the host dump.xorg with udp protocol, source  port  13
       and destination port 53, has an error on the IP header byte 13. We will
       also add all garbage bytes as possible:

       sing -S dump.xorg -param -ptr 13 -prot udp -psrc 13 -pdest  53  -s  max
       misery.es

       -  We  want to send an ICMP packet Timestamp to host www.danz.hell with
       code 38 instead of code (0) as usual:

       sing -tstamp -x 38 www.danz.hell

       - Same as above without code 38 and using Loose Source Routing  between
       the routers cisco, 10.13.1.1 and wakeup.man:

       sing -tstamp cisco@10.13.1.1@wakeup.man@www.danz.hell

       - Same as above using Strict Source Routing between the gateways:

       sing -tstamp cisco%10.13.1.1%wakeup.man%www.danz.hell

       -  Using  Record  Route  IP  Option  to  see  the  route  that takes to
       ftp.target.xx:

       sing -R ftp.target.xx

SEE ALSO

       Postel, John, "Internet  Control  Message  Protocol  -  DARPA  Internet
       Program  Protocol  Specification",  RFC  792,  USC/Information Sciences
       Institute, September 1981.

       Mogul,  Jeffrey  and  John  Postel,   "Internet   Standard   Subnetting
       Procedure",  RFC  950,  Stanford,  USC/Information  Sciences Institute,
       August 1985.

       Braden,  Robert,  "Requeriments  for  Internet  Hosts  -  Communication
       Layers", RFC 1122, USC/Information Sciences Institute, October 1989.

       Deering,  Stephen,  "ICMP  Router  Discovery Messages", RFC 1256, Xerox
       PARC, September 1991.

       Baker, Fred, "Requeriments for IP Version 4 Routers", RFC  1812,  Cisco
       Systems, June 1995.

       Arkin,    Ofir,    "ICMP    usage    in    scanning",   http://www.sys-
       security.com/archive/papers/ICMP_Scanning.pdf, Sys-Security Group, July
       2000.

       The  Linux source code, everything referent to network code and to ICMP
       protocol.

AUTHOR

       The original ping command was written by Mike Muuss.

       sing is original from Alfredo Andres Omella, Slay <aandres@s21sec.com>