SING(8)							  SING(8)


NAME
       sing - Send ICMP Nasty Garbage packets to network hosts

SYNOPSIS
       sing  [-hVRnvqGQOBU] [-c count] [-T wait] [-p pattern] [-s
       datasize] [-F bytes] [-i interface] [-S	spoof]	[-t  ttl]
       [-TOS  tos]  [-l	 preload]  [-M	os]  [-L  logfile]  [-MAC
       hw_addr] [-x code] [type]  host

DESCRIPTION
       sing is a tool that sends ICMP  packets	fully  customized
       from  command  line.  The  main	purpose is to replace the
       niceful ping command with  certain  enhancenments  as  the
       ability	to send/read IP spoofed packets, send MAC spoofed
       packets, send in addition to the ECHO REQUEST type sent by
       default, many other ICMP types as Echo Reply, Address Mask
       Request, Timestamp, Information	Request,Router	Solicita-
       tion and Router Advertisement.

       It supports also the following ICMP error types: Redirect,
       Source Quench, Time Exceeded, Destination Unreachable  and
       Parameter Problem.

       It  can do a little fingerprinting, see the FINGERPRINTING
       TECHNIQUES section to read more details about.

       It can emulate certain OOSS sending Echo Request	 or  Echo
       Reply packets. See the MIMIC TECHNIQUES section for a more
       accurate information.

       The host destination can also be specified as  a	 list  of
       gateways (including destination) breaked by the '%' symbol
       meaning the use of a Strict Source Routing IP Option (v.g.
       router1%router2%router3%host)  or  the  '@' symbol meaning
       the  use	 of  a	Loose  Source  Routing	IP  Option  (v.g.
       router1@router2@router3@host).

       A long number of examples is given at the EXAMPLES section
       of this page that shows a real use of this program.

MOST COMMON OPTIONS
       -h, --help
	      Help screen.

       -V, --Version
	      Program version.

       -v     Verbose mode.

       -B     Send a Bad ICMP Checksum on Information types.

       -c count
	      Stop after sending (and receiving)  count	 packets.
	      Information types only.

       -F bytes
	      Fragment	the entire ICMP packet with bytes size by
	      fragment. Not used on Solaris systems.

       -G     Set the IP header Don't Fragment flag. Not used  on
	      Solaris systems.

       -i interface
	      Interface	 (name or IP address) where listen on for
	      replies.

       -l preload
	      If preload is specified, sing sends that many pack-
	      ets  as  fast  as	 possible before falling into its
	      normal mode of behavior.	Only the  super-user  may
	      use this option. Information types only.

       -L logfile
	      Save  the	 current  session to the file logfile. If
	      logfile exists the data will be appended at end.

       -M os  Do mimic of the os specified when sending	 an  Echo
	      Request or Echo Reply. os can be win, unix,  linux,
	      cisco, solaris or shiva.

       -MAC hw_address
	      Do MAC spoofing using the MAC hw_address (maybe  to
	      surpass filtered switches). Be aware of using on an
	      interface with a datalink type different of  Ether-
	      net.  The	 MAC  address must be on hexadecimal form
	      and   must   be	delimited   by	 ':'	(Example:
	      00:FF:AC:33:1:B).	 This option made use of the lib-
	      net library to acces the network link  layer.  Only
	      the super-user can use this option.

       -n     Don't use name resolution.

       -O     Do fingerprinting to discover the target OS.

       -p pattern
	      You  may specify a pattern of bytes to fill out the
	      packet you send.	This  is  useful  for  diagnosing
	      data-dependent problems in a network.  For example,
	      `-p INPACK'' will	 cause	the  sent  packet  to  be
	      filled with the word INPACK.

       -q     Quiet output.  Nothing is displayed except the sum-
	      mary lines at startup time and when finished.

       -Q     Totally quiet output.  Absolutly	nothing	 is  dis-
	      played. Useful to use within shell scripts.

       -R     Use  Record  Route  IP  Header  Option  on the ICMP
	      packet.

       -s bytes|max
	      Number of garbage bytes that will be  sent  on  any
	      ICMP  packet. With max the maximum possible will be
	      sent.

       -S address
	      IP address to be used as the  source  of	the  ICMP
	      packet.  This force the use of the libpcap routines
	      that puts your network interface	into  promiscuous
	      mode  to	be  able  to  read  the replies. Only the
	      super-user may use this option.

       -t ttl Set the IP Time To Live field to ttl value.

       -T wait
	      Wait wait seconds between sending each packet.  The
	      default  is  to  wait  for  one second between each
	      packet.

       -TOS tos
	      Set the IP Type Of Service field to tos value.

       -U     Set the IP header Unused bit flag. Be aware on *BSD
	      systems  because	the kernel set to 0 the IP header
	      flags when using the  Reserved  Bit  so  SING  must
	      revert  to  promiscuous mode to be able to read the
	      response with libpcap. Not used on Solaris systems.

       -x, --xcode code|num|max
	      ICMP  code to send. Code code valid for Destination
	      Unreachable  (-du),  Redirect   (-red)   and   Time
	      Exceeded	(-tx) types. Numerical code can be speci-
	      fied for the ICMP types  that  doesn't  have  (Echo
	      Request, Information Request, Address Mask Request,
	      Router Solicitation, Router  Advertisement,  Source
	      Quench, Parameter Problem and Timestamp). Using max
	      an ICMP code greater than the admited ones will  be
	      sent. See the ICMP CODES section for a long list of
	      code types.


ICMP TYPES
       The type can be any of the following below:

       -echo, --echo_request
	      Echo Request. Request sent to a host to receive  an
	      echo reply.  This is the type sent by default. This
	      ICMP type is information.

       -tstamp, --timestamp
	      Timestamp. Host request  to  receive  the	 time  of
	      another host.  This ICMP type is information.

       -mask, --mask_req
	      Address  Mask Request. Used to find out a host net-
	      work mask.  This ICMP type is information.

       -info, --info_req
	      Information Request. Host	 request  to  receive  an
	      Info  Reply  from	 another host.	This ICMP type is
	      information.

       -du, --dest_unreach
	      Destination Unreach. IP packet couldn't  be  given.
	      This ICMP type is error.

       -sq, --src_quench
	      Source  Quench.  IP  packet  is not given due a net
	      congestion.  This ICMP type is error.

       -red, --redirect
	      Redirect. Request to  forward  IP	 packets  through
	      another router.  This ICMP type is error.

       -rta, --router_advert address[/preference]
	      Router  Advertisement.  Router trasmits one or more
	      routers with address address and preference prefer-
	      ence.   If this is ommited, default preference 0 is
	      given.  This ICMP type is information.

       -rts, --router_solicit
	      Router Solicitation. Host requeriment for a message
	      of  one  or  more routers.  Like the previous, is a
	      part of the messages exchange Router Discovery  and
	      this ICMP type is information.

       -tx, --time_exc
	      Time  Exceeded.  Time  Exceeded  for  an IP packet.
	      This ICMP type is error.

       -param, --param_problem
	      Parameter Problem. Erroneous value on a variable of
	      IP header.  This ICMP type is error.

       -reply Echo  Reply.  Response to a Echo Request. This ICMP
	      type is information.


LESS COMMON OPTIONS
       The options can be any of the following:

       -lt, --lifetime secs
	      Lifetime in seconds  of  the  router  announcement.
	      Only  valid  with Router Advertisement (-rta) type.
	      1800 seconds by default (30').

       -gw, --gateway address
	      Route gateway address on an ICMP	Redirect  (-red).
	      By  default  will	 be the spoof address (-S), if it
	      has been specified, or the outgoing IP  address  if
	      it has not been specified.

       -dest, --route_dest address
	      Route  destination  address  on  an  ICMP	 Redirect
	      (-red). This is a required option when  sending  an
	      ICMP Redirect.

       -orig, --orig_host address
	      Original	host  within the IP header sent in the 64
	      bits data field of an ICMP error.	 By default  will
	      be  the  same  as the IP of the host that sends the
	      ICMP packet.

       -psrc, --port_src port
	      Source port (tcp or udp) within the IP header  sent
	      in  the  64  bits data field of an ICMP error. 0 by
	      default.

       -pdst, --port_dst port
	      Destination port (tcp or udp) within the IP  header
	      sent  in the 64 bits data field of an ICMP error. 0
	      by default.

       -prot, --protocol name|number
	      Protocol to be used within the IP	 header	 sent  in
	      the  64 bits data field of an ICMP error. Must be a
	      name from the /etc/protocols or a protocol  number.
	      Only  tcp, udp and icmp are fully implemented, with
	      other protocols the remaining of the 64 bits  field
	      are fulfilled with 0xFF. TCP by default.

       -id  identificator
	      ICMP  id to be used with ICMP of Information types.
	      Do not be confused with the -ip_id option!.

       -seq sequence
	      Echo sequence number to be used with  Echo  Request
	      or  Echo	Reply  types. Do not be confused with the
	      -ip_seq option!.

       -ip_id  identificator
	      Echo identificator within the IP header sent in the
	      64  bits	data  field  of an ICMP error when the IP
	      header protocol of the 64 bits data  field  (-prot)
	      is icmp. 0 by default.

       -ip_seq	sequence
	      Echo  sequence  number within the IP header sent in
	      the 64 bits data field of an ICMP error when the IP
	      header  protocol	of the 64 bits data field (-prot)

       -ptr, --pointer byte
	      Pointer to erroneus byte byte  on	 an  ICMP  packet
	      showing a parameter problem.  Valid only on Parame-
	      ter Problem type (-param).

ICMP CODES
       Valid codes used with Destination  Unreach,  Redirect  and
       Time Exceeded types are,

       - Used with Destination Unreach type (-du):

       net-unreach  (Net  Unreachable)	The  destination  net  is
       unreachable.

       host-unreach (Host Unreachable) The  destination	 host  is
       unreachable.

       prot-unreach  (Protocol	Unreachable)  desired protocol is
       unreachable to destination host.

       port-unreach (Port Unreachable) desired port  is	 unreach-
       able to destination host.

       frag-needed  (Fragmentation  Needed and Don't Fragment was
       Set) Shows that IP packet had to be fragmented because  of
       its  size but the sender did not allowed it because the DF
       (DON'T FRAGMENT) flag was set.

       sroute-fail (Source  Route  Failed)  could'nt  follow  the
       route indicated on IP packet.

       net-unknown (Destination Network Unknown) Destination net-
       work is unknown.

       host-unknown (Destination Host Unknown)	Destination  host
       unknown but network is.

       host-isolated  (Source Host Isolated) Can't reach destina-
       tion host.

       net-ano (Communication with Destination Network is  Admin-
       istratively  Prohibited)	 access network is denied through
       firewall or similar on receiver side.

       host-ano (Communication with Destination Host is	 Adminis-
       tratively  Prohibited) access host is denied through fire-
       wall or similar on receiver side.

       net-unr-tos (Destination Network Unreachable for	 Type  of
       Service) indicates on destination network that the Type Of
       Service (TOS) applied for is not allowed.

       host-unr-tos (Destination Host  Unreachable  for	 Type  of
       Service)	 shows	that destination host is unreachable with
       applied TOS.

       com-admin-prohib (Communication	Administratively  Prohib-
       ited)  a router can't forward a packet because of adminis-
       trative filter.

       host-precedence-viol (Host Precedence Violation) IP packet
       precedence is not allowed.

       precedence-cutoff  (Precedence cutoff in effect) a smaller
       IP packet precedence has tried to be sent over the minimal
       impossed by network manager.


       - To be used with Redirect type (-red):

       net  (Redirect Datagram for the Network) shows that desti-
       nation is a network.

       host (Redirect Datagram for the Host) shows that	 destina-
       tion is a host.

       serv-net	 (Redirect  Datagram  for the Type Of Service and
       Network) destination is a type of service and network.

       serv-host (Redirect Datagram for the Type Of  Service  and
       Host) destination is a type of service and host.

       and

       - to be used with Time Exceeded type (-tx):

       ttl  (Time to Live exceeded in Transit) time is over on an
       IP packet header packet.

       frag  (Fragment	Reassembly  Time  Exceeded)   could   not
       reassembly all the IP packet fragments.



FINGERPRINTING TECHNIQUES
       With  the  -O  option  SING  can	 use little techniques of
       remote OS fingerprinting.  To distinguish between  Window$
       boxes  and the rest of the world Ofir Arkin has discovered
       a simple method: Sending an ICMP code that is not 0 within
       an  ICMP Echo Request, a Window$ box respond with a 0 code
       while the rest of the boxes would  leave	 the  code  field
       unchanged. See the SEE ALSO section.

       With  Solaris  systems SING use a method discovered by me:
       Sending a fragmented Addres Mask Request any Solaris  sys-
       tem  (tested from 2.5.1 to Solaris8 Intel & SPARC) respond
       with an Address Mask of 0's.  Last  update!:  Some  people
       have noticed that HP-UX v11.0 respond the same way.

       See the EXAMPLES section for examples.



MIMIC TECHNIQUES
       With  the -M option SING can try to emulate certain OS. At
       the moment Window$98/Window$NT4 (win  value),  UNIX  (unix
       value),	Linux (linux value), Cisco (cisco value), Solaris
       (solaris value)	or  Shiva  (shiva  value)  are	the  only
       accepted	 values.  To emulate them SING changes its normal
       behaviour about the IP header flags, the TTL, the  initial
       ICMP  sequence  number, the ICMP id and the ICMP data that
       each OS send. These techniques are aplied only when  using
       Echo Request or Echo Reply types.



RETURN VALUES
       sing  can  be  easily  used within shell scripts.  Program
       returns the following values to the shell:

       Value  Meaning
       -----  -----------
       0      Received at least 1 response from destination host.
       1      General Error.
       2      Packet sent OK but received no response.
       3      Out of memory.


EXAMPLES
       -  Testing if www.solarisbox.xx is running the Solaris OS.
       Supposed no filter methods:

       sing -mask -O  www.solarisbox.xx


       - Testing if www.winbox.xx is running the Window$ OS:

       sing -O	www.winbox.xx


       - Send Echos with garbage size of 32 bytes  and	fragments
       of 8 bytes to host www.provatina.xx:

       sing -s 32 -F 8 www.provatina.xx


       -  Send	Echos with data pattern IsSiNg and fragments of 8
       bytes to the  host  www.provatina.xx  using  Loose  Source
       Routing via router1.xx and router2.xx:

       sing -p IsSiNg -F 8 router1.xx@router2.xx@www.provatina.xx


       - Send an ICMP packet Timestamp to host sepultura.hell. We
       spoof as host 10.2.3.1:

       sing -tstamp -S 10.2.3.1 sepultura.hell


       - Send an ICMP packet Router Solicitation to 10.13.1.0:

       sing -rts  10.13.1.0


       - Send an ICMP Router Advertisement to host death.es, say-
       ing that the routers to use are: router1.xtc with  prefer-
       ence  20,  router2.xtc  with preference 50 and router3.xtc
       with default preference (0). We spoof as fatherouter.xtc:

       sing  -rta   router1.xtc/20   -rta   router2.xtc/50   -rta
       router3.xtc -S fatherouter.xtc death.es


       -  In  response	to a packet send with TCP source port 100
       and destination on port 90, we want to send and ICMP Redi-
       rect  to	 dwdwah.xx  to	modify its routing table with the
       following data: 10.12.12.12  as	a  gateway  to	the  host
       death.es	 masking the packet source as if it was sent from
       infect.comx host:

       sing -red -S infect.comx -gw 10.12.12.12 -dest death.es -x
       host -prot tcp -psrc 100 -pdst 90 dwdwah.xx


       -  In  response	to  an ICMP packet Echo Request sent with
       Echo Request id 100 and Echo Request sequence  number  90,
       we  want	 to send an ICMP Redirect to the host araya.xx to
       modify its routing table with the following data: the host
       pizza.death as a gateway to the host death.es, masking the
       packet source as if it was sent from infect.comx host.

       sing -red -S infect.comx -gw pizza.death -dest death.es -x
       host -prot icmp -ip_id 100 -ip_seq 90 araya.xx


       -  We  want  to send an ICMP packet Destination Unreach to
       the host 10.2.3.4 saying that our TCP port number 20  con-
       nected  with  its  TCP port 2100, is unreachable.  We mask
       ourselves as host 10.1.1.1:

       sing -du -S 10.1.1.1 -x port-unreach -prot tcp -psrc  2100
       -pdst 20 10.2.3.4

       -  We  want  to send an ICMP packet Destination Unreach to
       host 10.2.3.4 saying that the host  inferno.hell	 and  its
       TCP  port  69, connected with his port TCP 666 in unreach-
       able. We mask ourselves as gateway router.comx:

       sing -du -S router.comx -x host-unreach	-prot  tcp  -psrc
       666 -pdst 69 -orig inferno.hell 10.2.3.4


       -  We  want  to	send  a packet ICMP Source Quench to host
       ldg02.hell in response to  a  packet  destinated	 to  host
       ldg00  with  UDP protocol, source port 100 and destination
       port 200. We mask ourselves as gateway 10.10.10.1:

       sing -sq -S 10.10.10.1 -prot udp -psrc 100 -pdst 200 -orig
       ldg00 ldg02.hell


       -  We  want  to	send an ICMP packet Time Exceeded to host
       ldg02.hell in response to  a  packet  destinated	 to  host
       ldg00  with  UDP protocol, source port 100 and destination
       port 200. We mask as gateway ldg04.hell:

       sing -tx -S ldg04.hell -x frag -prot udp -psrc  100  -pdst
       200 -orig ldg00 ldg02.hell


       -  We want to send an ICMP packet Address Mask Request and
       wait 10 seconds between sending each packet. We	mask  the
       packet  with  source address of 10.2.3.4 and we send it to
       the address 10.0.1.255:

       sing -mask -S 10.2.3.4 -T 10 10.0.1.255


       - We want to send an ICMP packet	 Information  Request  to
       host deep.hell:

       sing -info  deep.hell


       -  We  want  to	send  an ICMP packet Echo Request to host
       black.hell with the data pattern 'MyNameIsGump':

       sing -p MyNameIsGump black.hell


       - We want to send ICMP packet Echo Request to  10.12.0.255
       with  the  following  data  pattern:  D	E  A  T H (blanks
       included).  We	will   mask   the   source   address   as
       192.168.0.255:

       sing -S 192.168.0.255 -p 'D E A T H' 10.12.0.255

       -  We  want  to send an ICMP packet Destination Unreach to
       host destination.death but sending it with  an  ICMP  code
       bigger to the legal ones adding also 60K of garbage data:

       sing -du -x max -s 60000 destination.death


       - We send an ICMP Parameter Problem to host misery.es say-
       ing that the packet sent from the host dump.xorg with  udp
       protocol,  source  port 13 and destination port 53, has an
       error on the IP header byte  13.	 We  will  also	 add  all
       garbage bytes as possible:

       sing -S dump.xorg -param -ptr 13 -prot udp -psrc 13 -pdest
       53 -s max misery.es


       - We want  to  send  an	ICMP  packet  Timestamp	 to  host
       www.danz.hell with code 38 instead of code (0) as usual:

       sing -tstamp -x 38 www.danz.hell

       -  Same	as  above  without code 38 and using Loose Source
       Routing	between	 the   routers	 cisco,	  10.13.1.1   and
       wakeup.man:

       sing -tstamp cisco@10.13.1.1@wakeup.man@www.danz.hell

       -  Same	as  above using Strict Source Routing between the
       gateways:

       sing -tstamp cisco%10.13.1.1%wakeup.man%www.danz.hell

       - Using Record Route IP Option to see the route that takes
       to ftp.target.xx:

       sing -R ftp.target.xx



SEE ALSO
       Postel,	John,  "Internet Control Message Protocol - DARPA
       Internet	 Program  Protocol   Specification",   RFC   792,
       USC/Information Sciences Institute, September 1981.

       Mogul, Jeffrey and John Postel, "Internet Standard Subnet-
       ting Procedure", RFC 950, Stanford,  USC/Information  Sci-
       ences Institute, August 1985.

       Braden,	Robert, "Requeriments for Internet Hosts - Commu-
       nication	 Layers",  RFC	1122,  USC/Information	 Sciences
       Institute, October 1989.

       Deering,	 Stephen,  "ICMP  Router Discovery Messages", RFC
       1256, Xerox PARC, September 1991.

       Baker, Fred, "Requeriments for IP Version 4 Routers",  RFC
       1812, Cisco Systems, June 1995.

       Arkin,  Ofir,  "ICMP  usage  in scanning", http://www.sys-
       security.com/archive/papers/ICMP_Scanning.pdf,	Sys-Secu-
       rity Group, July 2000.

       The Linux source code, everything referent to network code
       and to ICMP protocol.


AUTHOR
       The original ping command was written by Mike Muuss.

       sing is original from Alfredo Andres  Omella,  Slay  <aan-
       dres@s21sec.com>

sing v1.1	   $Date: 2001/02/13 10:51:31 $		       12


