cti-ATT-CK-v13.1/capec/2.1/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json

{
    "id": "bundle--302a5fed-7497-4fd8-a269-1aaea8b4ddf2",
    "objects": [
        {
            "created": "2014-06-23T00:00:00.000Z",
            "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
            "description": "An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or \"Quoted\" from the originating request that generated the ICMP error message.",
            "external_references": [
                {
                    "external_id": "CAPEC-329",
                    "source_name": "capec",
                    "url": "https://capec.mitre.org/data/definitions/329.html"
                },
                {
                    "external_id": "CWE-200",
                    "source_name": "cwe",
                    "url": "http://cwe.mitre.org/data/definitions/200.html"
                },
                {
                    "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
                    "external_id": "REF-33",
                    "source_name": "reference_from_CAPEC"
                },
                {
                    "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
                    "external_id": "REF-123",
                    "source_name": "reference_from_CAPEC",
                    "url": "http://www.faqs.org/rfcs/rfc792.html"
                },
                {
                    "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10",
                    "external_id": "REF-124",
                    "source_name": "reference_from_CAPEC",
                    "url": "http://www.faqs.org/rfcs/rfc1122.html"
                },
                {
                    "description": "Ofir Arkin, A Remote Active OS Fingerprinting Tool using ICMP, 2002--04, The Sys-Security Group",
                    "external_id": "REF-262",
                    "source_name": "reference_from_CAPEC",
                    "url": "http://ofirarkin.files.wordpress.com/2008/11/login.pdf"
                }
            ],
            "id": "attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247",
            "modified": "2022-02-22T00:00:00.000Z",
            "name": "ICMP Error Message Quoting Probe",
            "object_marking_refs": [
                "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
            ],
            "spec_version": "2.1",
            "type": "attack-pattern",
            "x_capec_abstraction": "Detailed",
            "x_capec_child_of_refs": [
                "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617"
            ],
            "x_capec_consequences": {
                "Access_Control": [
                    "Bypass Protection Mechanism",
                    "Hide Activities"
                ],
                "Authorization": [
                    "Bypass Protection Mechanism",
                    "Hide Activities"
                ],
                "Confidentiality": [
                    "Read Data",
                    "Bypass Protection Mechanism",
                    "Hide Activities"
                ]
            },
            "x_capec_domains": [
                "Software"
            ],
            "x_capec_extended_description": "\n            <xhtml:p>For this purpose \"Port Unreachable\" error messages are often used, as generating them requires the adversary to send a UDP datagram to a closed port on the target. The goal of this analysis to make inferences about the type of operating system or firmware that sent the error message in reply.</xhtml:p>\n            <xhtml:p>This is useful for identifying unique characteristics of operating systems because the RFC-1122 expected behavior reads: \"Every ICMP error message includes the Internet header and at least the first 8 data octets of the datagram that triggered the error; more than 8 octets MAY be sent [...].\" This contrasts with RFC-792 expected behavior, which limited the quoted text to 64 bits (8 octets). Given the latitude in the specification the resulting RFC-1122 stack implementations often respond with a high degree of variability in the amount of data quoted in the error message because \"older\" or \"legacy\" stacks may comply with the RFC-792 specification, while other stacks may choose a longer format in accordance with RFC-1122. As a general rule most operating systems or firmware will quote the first 8 bytes of the datagram triggering the error, but some IP stacks will quote more than the first 8 bytes of data.</xhtml:p>\n         ",
            "x_capec_likelihood_of_attack": "Medium",
            "x_capec_prerequisites": [
                "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
            ],
            "x_capec_resources_required": [
                "A tool capable of sending/receiving UDP datagram packets from a remote system to a closed port and receive an ICMP Error Message Type 3, \"Port Unreachable.."
            ],
            "x_capec_status": "Stable",
            "x_capec_typical_severity": "Low",
            "x_capec_version": "3.9"
        }
    ],
    "type": "bundle"
}