MAN page from Fedora 28 sing-1.1-15.fc28.i686.rpm
Section: Misc. Reference Manual Pages (8)
Updated: $Date: 2001/02/13 10:51:31 $Index
arbage packets to network hosts
] [-c count
] [-T wait
] [-p pattern
] [-F bytes
] [-i interface
] [-t ttl
] [-TOS tos
] [-l preload
] [-L logfile
] [-MAC hw_addr
] [-x code
is a tool that sends ICMP packets fully customized from command line. Themain purpose is to replace the niceful ping
command with certainenhancenments as the ability to send/read IP spoofed packets, send MAC spoofedpackets, send in addition to the ECHO REQUEST type sent by default, many other ICMP types as Echo Reply
, Address Mask Request
, Information Request
and Router Advertisement
It supports also the following ICMP error types: Redirect, Source Quench,Time Exceeded, Destination Unreachable and Parameter Problem.
It can do a little fingerprinting, see the FINGERPRINTING TECHNIQUES sectionto read more details about.
It can emulate certain OOSS sending Echo Request or Echo Replypackets. See the MIMIC TECHNIQUES section for a more accurateinformation.
The host destination can also be specified as a list of gateways (includingdestination) breaked by the '%' symbol meaning the use of a Strict Source Routing IP Option(v.g. router1%router2%router3%host) or the '@' symbol meaning the use of a LooseSource Routing IP Option (v.g. router1@router2@router3@host).
A long number of examples is given at the EXAMPLES section of this page that shows a real use of this program.
MOST COMMON OPTIONS
- -h, --help
- Help screen.
- -V, --Version
- Program version.
- Verbose mode.
- Send a Bad ICMP Checksum on Information types.
- -c count
- Stop after sending (and receiving) count packets. Informationtypes only.
- -F bytes
- Fragment the entire ICMP packet with bytes size by fragment. Not usedon Solaris systems.
- Set the IP header Don't Fragment flag. Not used on Solaris systems.
- -i interface
- Interface (name or IP address) where listen on for replies.
- -l preload
- If preload is specified, sing sends that many packets as fast as possiblebefore falling into its normal mode of behavior. Only the super-user mayuse this option. Information types only.
- -L logfile
- Save the current session to the file logfile. If logfile existsthe data will be appended at end.
- -M os
- Do mimic of the os specified when sending an Echo Request orEcho Reply. os can be win, unix, linux,cisco, solaris or shiva.
- -MAC hw_address
- Do MAC spoofing using the MAC hw_address (maybe to surpass filtered switches). Be aware of using on an interfacewith a datalink type different of Ethernet. The MAC address must be on hexadecimalform and must be delimited by ':' (Example: 00:FF:AC:33:1:B). Thisoption made use of the libnet library to acces the network link layer. Only thesuper-user can use this option.
- Don't use name resolution.
- Do fingerprinting to discover the target OS.
- -p pattern
- You may specify a pattern of bytes to fill out the packet you send. Thisis useful for diagnosing data-dependent problems in a network. For example,`-p INPACK'' will cause the sent packet to be filled with the word INPACK.
- Quiet output. Nothing is displayed except the summary lines at startup timeand when finished.
- Totally quiet output. Absolutly nothing is displayed. Useful to use withinshell scripts.
- Use Record Route IP Header Option on the ICMP packet.
- -s bytes|max
- Number of garbage bytes that will be sent on any ICMP packet. With maxthe maximum possible will be sent.
- -S address
- IP address to be used as the source of the ICMP packet. This force the useof the libpcap routines that puts your network interface into promiscuous modeto be able to read the replies. Only the super-user may use this option.
- -t ttl
- Set the IP Time To Live field to ttl value.
- -T wait
- Wait wait seconds between sending each packet. The default is towait for one second between each packet.
- -TOS tos
- Set the IP Type Of Service field to tos value.
- Set the IP header Unused bit flag. Be aware on *BSD systems because the kernel setto 0 the IP header flags when using the Reserved Bit so SING must revert to promiscuous mode to be able toread the response with libpcap. Not used on Solaris systems.
- -x, --xcode code|num|max
- ICMP code to send. Code code valid for Destination Unreachable (-du), Redirect (-red) and Time Exceeded (-tx) types. Numerical code can bespecified for the ICMP types that doesn't have (Echo Request, Information Request,Address Mask Request, Router Solicitation, Router Advertisement, Source Quench, Parameter Problem and Timestamp). Using max an ICMP code greater than theadmited ones will be sent. See the ICMP CODES section for a long listof code types.
can be any of the following below:
- -echo, --echo_request
- Echo Request. Request sent to a host to receive an echo reply.This is the type sent by default. This ICMP type is information.
- -tstamp, --timestamp
- Timestamp. Host request to receive the time of another host. This ICMP type is information.
- -mask, --mask_req
- Address Mask Request. Used to find out a host network mask.This ICMP type is information.
- -info, --info_req
- Information Request. Host request to receive an Info Reply from another host. This ICMP type is information.
- -du, --dest_unreach
- Destination Unreach. IP packet couldn't be given. This ICMP type is error.
- -sq, --src_quench
- Source Quench. IP packet is not given due a net congestion.This ICMP type is error.
- -red, --redirect
- Redirect. Request to forward IP packets through another router.This ICMP type is error.
- -rta, --router_advert address[/preference]
- Router Advertisement. Router trasmits one or more routers with addressaddress and preference preference.If this is ommited, default preference 0 is given.This ICMP type is information.
- -rts, --router_solicit
- Router Solicitation. Host requeriment for a message of one or more routers.Like the previous, is a part of the messages exchange Router Discovery andthis ICMP type is information.
- -tx, --time_exc
- Time Exceeded. Time Exceeded for an IP packet. This ICMP type is error.
- -param, --param_problem
- Parameter Problem. Erroneous value on a variable of IP header. This ICMP type is error.
- Echo Reply. Response to a Echo Request. This ICMP type is information.
LESS COMMON OPTIONS
can be any of the following:
- -lt, --lifetime secs
- Lifetime in seconds of the router announcement. Only valid withRouter Advertisement (-rta) type. 1800 seconds by default (30').
- -gw, --gateway address
- Route gateway address on an ICMP Redirect (-red).By default will be the spoof address (-S), if it has been specified, or the outgoing IP address if it has not been specified.
- -dest, --route_dest address
- Route destination address on an ICMP Redirect (-red). This is arequired option when sending an ICMP Redirect.
- -orig, --orig_host address
- Original host within the IP header sent in the 64 bits data field of an ICMP error.By default will be the same as the IP of the host that sends the ICMP packet.
- -psrc, --port_src port
- Source port (tcp or udp) within the IP header sent in the 64 bits data fieldof an ICMP error. 0 by default.
- -pdst, --port_dst port
- Destination port (tcp or udp) within the IP header sent in the 64 bits datafield of an ICMP error. 0 by default.
- -prot, --protocol name|number
- Protocol to be used within the IP header sent in the 64 bits data field of anICMP error. Must be a name from the /etc/protocols or a protocol number.Only tcp, udp and icmp are fully implemented, with other protocols theremaining of the 64 bits field are fulfilled with 0xFF. TCP by default.
- -id identificator
- ICMP id to be used with ICMP of Information types. Do not be confused with the -ip_id option!.
- -seq sequence
- Echo sequence number to be used with Echo Request or Echo Replytypes. Do not be confused with the -ip_seq option!.
- -ip_id identificator
- Echo identificator within the IP header sent in the 64 bits data field of an ICMP error when the IP header protocol of the 64 bits data field (-prot) is icmp. 0by default.
- -ip_seq sequence
- Echo sequence number within the IP header sent in the 64 bits data field of anICMP error when the IP header protocol of the 64 bits data field (-prot)is icmp. 0 by default.
- -ptr, --pointer byte
- Pointer to erroneus byte byte on an ICMP packet showing a parameter problem.Valid only on Parameter Problem type (-param).
used with Destination Unreach, Redirect and Time Exceeded types are,
- - Used with Destination Unreach type (-du):
net-unreach (Net Unreachable) The destination net is unreachable.
host-unreach (Host Unreachable) The destination host is unreachable.
prot-unreach (Protocol Unreachable) desired protocol is unreachable to destination host.
port-unreach (Port Unreachable) desired port is unreachable to destination host.
frag-needed (Fragmentation Needed and Don't Fragment was Set) Shows that IP packet hadto be fragmented because of its size but the sender did not allowed it becausethe DF (DON'T FRAGMENT) flag was set.
sroute-fail (Source Route Failed) could'nt follow the route indicated on IP packet.
net-unknown (Destination Network Unknown) Destination network is unknown.
host-unknown (Destination Host Unknown) Destination host unknown but network is.
host-isolated (Source Host Isolated) Can't reach destination host.
net-ano (Communication with Destination Network is AdministrativelyProhibited) access network is denied through firewall or similar on receiver side.
host-ano (Communication with Destination Host is AdministrativelyProhibited) access host is denied through firewall or similar on receiver side.
net-unr-tos (Destination Network Unreachable for Type of Service)indicates on destination network that the Type Of Service (TOS) applied for is not allowed.
host-unr-tos (Destination Host Unreachable for Type of Service) shows that destinationhost is unreachable with applied TOS.
com-admin-prohib (Communication Administratively Prohibited) a router can't forward a packet because of administrative filter.
host-precedence-viol (Host Precedence Violation) IP packet precedence is not allowed.
precedence-cutoff (Precedence cutoff in effect) a smaller IP packet precedence has tried tobe sent over the minimal impossed by network manager.
- - To be used with Redirect type (-red):
net (Redirect Datagram for the Network) shows that destination is a network.
host (Redirect Datagram for the Host) shows that destination is a host.
serv-net (Redirect Datagram for the Type Of Service and Network) destination is a type of serviceand network.
serv-host (Redirect Datagram for the Type Of Service and Host) destination is a type of serviceand host.
- - to be used with Time Exceeded type (-tx):
ttl (Time to Live exceeded in Transit) time is over on an IP packet header packet.
frag (Fragment Reassembly Time Exceeded) could not reassembly all the IP packet fragments.
With the -O
can use little techniques of remote OS fingerprinting.To distinguish between Window$ boxes and the rest of the world OfirArkin
has discovered a simple method: Sending an ICMP code that is not0 within an ICMP Echo Request, a Window$ box respond with a 0 code whilethe rest of the boxes would leave the code field unchanged. See the SEE ALSO
With Solaris systems SING use a method discovered by me: Sending afragmented Addres Mask Request any Solaris system (tested from 2.5.1 toSolaris8 Intel & SPARC) respond with an Address Mask of 0's.Last update!: Some people have noticed that HP-UX v11.0 respond the sameway.
See the EXAMPLES section for examples.
With the -M
can try to emulate certain OS. At themoment Window$98/Window$NT4 (win
value), UNIX (unix
value), Cisco (cisco
value), Solaris (solaris
value) or Shiva (shiva
value) are the only acceptedvalues. To emulate them SING
changes its normal behaviour about the IPheader flags, the TTL, the initial ICMP sequence number, the ICMP id andthe ICMP data that each OS send. These techniques are aplied only whenusing Echo Request
or Echo Reply
can be easily used within shell scripts. Program returns the following values to the shell:
- Testing if www.solarisbox.xx
is running the Solaris OS. Supposed no filtermethods:
sing -mask -O www.solarisbox.xx
- Testing if www.winbox.xx is running the Window$ OS:
sing -O www.winbox.xx
- Send Echos with garbage size of 32 bytes and fragments of 8 bytes to hostwww.provatina.xx:
sing -s 32 -F 8 www.provatina.xx
- Send Echos with data pattern IsSiNg and fragments of 8 bytes to thehost www.provatina.xx using Loose Source Routing via router1.xx androuter2.xx:
sing -p IsSiNg -F 8 www.provatina.xx
- Send an ICMP packet Timestamp to host sepultura.hell. We spoof as host10.2.3.1:
sing -tstamp -S 10.2.3.1 sepultura.hell
- Send an ICMP packet Router Solicitation to 10.13.1.0:
sing -rts 10.13.1.0
- Send an ICMP Router Advertisement to host death.es, saying that the routersto use are: router1.xtc with preference 20, router2.xtc with preference 50and router3.xtc with default preference (0). We spoof as fatherouter.xtc:
sing -rta router1.xtc/20 -rta router2.xtc/50-rta router3.xtc -S fatherouter.xtc death.es
- In response to a packet send with TCP source port 100 and destination on port 90,we want to send and ICMP Redirect to dwdwah.xx to modify its routing table with the followingdata: 10.12.12.12 as a gateway to the host death.es masking the packet sourceas if it was sent from infect.comx host:
sing -red -S infect.comx -gw 10.12.12.12-dest death.es -x host -prot tcp -psrc 100 -pdst90 dwdwah.xx
- In response to an ICMP packet Echo Request sent with Echo Request id 100 andEcho Request sequence number 90, we want to send an ICMP Redirect to the hostaraya.xx to modify its routing table with the following data: the hostpizza.death as a gateway to the host death.es, masking the packet source as ifit was sent from infect.comx host.
sing -red -S infect.comx -gw pizza.death-dest death.es -x host -prot icmp-ip_id 100 -ip_seq 90 araya.xx
- We want to send an ICMP packet Destination Unreach to the host 10.2.3.4saying that our TCP port number 20 connected with its TCP port 2100, is unreachable.We mask ourselves as host 10.1.1.1:
sing -du -S 10.1.1.1 -x port-unreach -prottcp -psrc 2100 -pdst 20 10.2.3.4
- We want to send an ICMP packet Destination Unreach to host 10.2.3.4saying that the host inferno.hell and its TCP port 69, connected with hisport TCP 666 in unreachable. We mask ourselves as gateway router.comx:
sing -du -S router.comx -x host-unreach-prot tcp -psrc 666 -pdst 69 -orig inferno.hell10.2.3.4
- We want to send a packet ICMP Source Quench to host ldg02.hell inresponse to a packet destinated to host ldg00 with UDP protocol, sourceport 100 and destination port 200. We mask ourselves as gateway 10.10.10.1:
sing -sq -S 10.10.10.1 -prot udp -psrc100 -pdst 200 -orig ldg00 ldg02.hell
- We want to send an ICMP packet Time Exceeded to host ldg02.hell inresponse to a packet destinated to host ldg00 with UDP protocol, source port 100 and destination port 200. We mask as gateway ldg04.hell:
sing -tx -S ldg04.hell -x frag -protudp -psrc 100 -pdst 200 -orig ldg00 ldg02.hell
- We want to send an ICMP packet Address Mask Request and wait 10 secondsbetween sending each packet. We mask the packet with source address of10.2.3.4 and we send it to the address 10.0.1.255:
sing -mask -S 10.2.3.4 -T 10 10.0.1.255
- We want to send an ICMP packet Information Request to host deep.hell:
sing -info deep.hell
- We want to send an ICMP packet Echo Request to host black.hell with the datapattern 'MyNameIsGump':
sing -p MyNameIsGump black.hell
- We want to send ICMP packet Echo Request to 10.12.0.255 with the following data pattern:D E A T H (blanks included). We will mask the source address as 192.168.0.255:
sing -S 192.168.0.255 -p 'D E A T H' 10.12.0.255
- We want to send an ICMP packet Destination Unreach to host destination.death but sending itwith an ICMP code bigger to the legal ones adding also 60K of garbage data:
sing -du -x max -s 60000 destination.death
- We send an ICMP Parameter Problem to host misery.es saying that the packet sentfrom the host dump.xorg with udp protocol, source port 13 and destination port 53,has an error on the IP header byte 13. We will also add all garbage bytes as possible:
sing -S dump.xorg -param -ptr 13 -protudp -psrc 13 -pdest 53 -s max misery.es
- We want to send an ICMP packet Timestamp to host www.danz.hell with code 38instead of code (0) as usual:
sing -tstamp -x 38 www.danz.hell
- Same as above without code 38 and using Loose Source Routing between the routerscisco, 10.13.1.1 and wakeup.man:
sing -tstamp email@example.com@wakeup.manAATTwww.danz.hell
- Same as above using Strict Source Routing between the gateways:
sing -tstamp cisco%10.13.1.1%wakeup.man%www.danz.hell
- Using Record Route IP Option to see the route that takes to ftp.target.xx:
sing -R ftp.target.xx
Postel, John, "Internet Control Message Protocol - DARPA InternetProgram Protocol Specification", RFC 792
, USC/Information SciencesInstitute, September 1981.
Mogul, Jeffrey and John Postel, "Internet Standard Subnetting Procedure",RFC 950, Stanford, USC/Information Sciences Institute, August 1985.
Braden, Robert, "Requeriments for Internet Hosts - Communication Layers",RFC 1122, USC/Information Sciences Institute, October 1989.
Deering, Stephen, "ICMP Router Discovery Messages", RFC 1256, XeroxPARC, September 1991.
Baker, Fred, "Requeriments for IP Version 4 Routers", RFC 1812, CiscoSystems, June 1995.
Arkin, Ofir, "ICMP usage in scanning",http://www.sys-security.com/archive/papers/ICMP_Scanning.pdf,Sys-Security Group, July 2000.
The Linux source code, everything referent to network code and to ICMP protocol.
The original ping
command was written by Mike Muuss.
sing is original from Alfredo Andres Omella, Slay <aandresAATTs21sec.com>
- MOST COMMON OPTIONS
- ICMP TYPES
- LESS COMMON OPTIONS
- ICMP CODES
- FINGERPRINTING TECHNIQUES
- MIMIC TECHNIQUES
- RETURN VALUES
- SEE ALSO
This document was created byman2html,using the manual pages.