You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap
Like the online e-book? You'll love the downloadable version! Buy it here!ICMP Timestamp Ping(-PP)
The ICMP timestamp ping is a departure from the usual nmap ping types because it takes advantage of a little-used ICMP message type to determine if a remote station is active. The ICMP timestamp is rarely seen in normal network traffic, but it can be quite useful for determining availability.
An ICMP timestamp ping is designed to allow two separate systems to coordinate their time-of-day clocks. It's not often used, but it's supported across many different TCP/IP stacks and operating systems.
ICMP Timestamp Ping Operation
An ICMP timestamp ping operates similarly to other ICMP-based pings. The source workstation sends an ICMP Get Timestamp message and waits for an ICMP Send Timestamp response.
Source Destination Summary -------------------------------------------------------------------------------------- [192.168.0.5] [192.168.0.3] ICMP: C Get timestamp [192.168.0.3] [192.168.0.5] ICMP: R TimestampIf the remote device doesn't respond, the ping fails and the scan does not proceed.
If the nmap is not running as a privileged user, the –PP option provides the following warning:
Warning: You are not root -- using TCP pingscan rather than ICMP
The ping process then continues with a TCP connect()-style ping.
The ICMP timestamp ping doesn't rely on any particular application on the remote device. The ICMP functionality is built into the TCP/IP stack, and many stacks have continued to support this timestamp function.
ICMP is often filtered through firewalls and packet filters. If this ping works, then the network link between the nmap station and the remote device is mostly likely wide open!
Disadvantages of the ICMP Timestamp Ping
Although the ICMP timestamp ping uses little network traffic, the timestamp message is not usually found in normal network conversations. The function itself is esoteric, and although it can provide a time synchronization function for a workstation, most environments rely on Network Time Protocol (NTP) to provide clock synchronization.
The ICMP timestamp ping relies on ICMP, which is often prevented from traversing firewalls or packet filters. This ping is probably not the best choice for scanning through firewalls.
The ICMP timestamp ping will only work for privileged users. Nmap will modify the ping for non-privileged users to use a TCP connect()-like ping. Since a TCP connect() initializes application sessions when accessing an open port, it's important to understand the implications of using this ping type with a non-privileged user!
The –PP option ignores any port parameters, so this TCP connect() will always default to port 80. If there's a web server on the other end of the nmap scan, a session will be initialized!
When to use the ICMP Timestamp Ping
The ICMP timestamp ping is useful for non-filtered network connections. If a firewall is in use, this ping option may not provide any successful responses.
This ping type can only be used by privileged users. If nmap is running as a non-privileged user, this ping type will default to a TCP connect()-like ping.
Non-privileged users have little flexibility when using the –PP option. Since this ping type will default to a TCP connect()-like ping method, it's a better option for non-privileged users to use the TCP ACK ping (-PA) or TCP SYN ping (-PS) so that a port number can be specified.