Sign in to follow this  
Followers 0
ihousden

Ping help

19 posts in this topic

Hi all.

I cant get ping to work anywhere outside my network.

Here is my test script.

Dim $PingTarget = "yahoo.ca"
Dim $Ping

$Ping = ping ($PingTarget)
Select
    case @error = 1 
        ConsoleWrite(@LF & "-->  Ping of " & $PingTarget & " result:  Offline" & @LF & @LF)
    Case @error = 2 
        ConsoleWrite(@LF & "-->  Ping of " & $PingTarget & " result:  Unreachable" & @LF & @LF)
    Case @error = 3 
        ConsoleWrite(@LF & "-->  Ping of " & $PingTarget & " result:  Bad destination" & @LF & @LF)
    Case @error = 4 
        ConsoleWrite(@LF & "-->  Ping of " & $PingTarget & " result:  Other errors" & @LF & @LF)
    Case Else
        ConsoleWrite(@LF & "-->  Ping of " & $PingTarget & " result: " & $Ping & @LF & @LF)
EndSelect
    
Exit

Here is its output

>"C:\Program Files (x86)\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Users\ihousden\Documents\Dropbox\AutoIt\Functionality snippets\Ping.au3"    

-->  Ping of yahoo.ca result:  Offline

>Exit code: 0    Time: 4.084

Here is the dos window output on the same machine.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ihousden>ping yahoo.ca

Pinging yahoo.ca [68.180.206.184] with 32 bytes of data:
Reply from 68.180.206.184: bytes=32 time=41ms TTL=51
Reply from 68.180.206.184: bytes=32 time=38ms TTL=51
Reply from 68.180.206.184: bytes=32 time=38ms TTL=51
Reply from 68.180.206.184: bytes=32 time=38ms TTL=51

Ping statistics for 68.180.206.184:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 38ms, Maximum = 41ms, Average = 38ms

C:\Users\ihousden>

I tried it from my laptop with the same result. Firewall has been disabled. I can however ping my gateway and DNS servers with the script, just nothing offsite (no issue if done from dos window). ICMP statement in ACL seems fine too.

! secure ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any log

Im running out of ideas. Anyone know what the issue is? Does the Ping command use a cyberkit ping? Is there an alternate way to ping I can try?

Thanks all.

Share this post


Link to post
Share on other sites



Strange, for me your code is working. I get roundtrip-time properly.

Br,

UEZ


Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Share this post


Link to post
Share on other sites

Thanks for the reply UEZ. Since it works inside my network, im fairly certain that its the ACL but I cant figure out why its not being let back in. The "permit icmp any any echo-reply" should be permitting it, unless its not sending a typical ping packet (ie: cyberkit ping packet or similar).

Cheers

Share this post


Link to post
Share on other sites

You can try to add #RequireAdmin to your script if it is an ACL issue.

Br,

UEZ


Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Share this post


Link to post
Share on other sites

Not sure what that is, but ill look into it to see how it works.

Thanks UEZ.

Share this post


Link to post
Share on other sites

No change UEZ. The command window works fine without elivated rights so I doubt its a rights issue. I still think the ping packet is non standard in some way, and getting blocked by the ACL. At least that seems the most probable from my perspective.

Share this post


Link to post
Share on other sites

drop a sniffer on the your PC and a test machine inside your network and watch the pings from normal cmd and then from autoit and that should get you your answer as to the different packet.

What to do with it....dunno.

Share this post


Link to post
Share on other sites

Tried while my VPN to home was up and it works great (ruling out PC configuration/firewall issue). Seems to be a local network issue. Calling in the network guys for some assistance. I will post solution if found, in case anyone else has a similar issue.

Share this post


Link to post
Share on other sites

Just a warning, i wouldn't call your exe 'Ping.exe" when you compile this script, it will override the one in sys32


Share this post


Link to post
Share on other sites

Good point Zac. Ill keep that in mind..

OK, so here is what I found so far:

Scripted Ping:

00000000  AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ........ ........ 
00000010  AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ........ ........ 
00000020  AA AA AA AA                                        ....

Command Line Ping:

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi 

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi 

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi 

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi 

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi 

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi 

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi 

00000000  61 62 63 64 65 66 67 68  69 6A 6B 6C 6D 6E 6F 70   abcdefgh ijklmnop 
00000010  71 72 73 74 75 76 77 61  62 63 64 65 66 67 68 69   qrstuvwa bcdefghi

Note: There was no return from the scripted ping, and four sends & recieves from the command line ping.

Scripted ping packet contains 36 Bytes of data consisting of A`s.

Command line pings packet contains 32 Bytes of data consisting of sequential alphabetical characters.

Still not sure why its being blocked by our cisco acls but will post when I find out.

Cheers

Share this post


Link to post
Share on other sites

Well it turns out that the IPS system was blocking it.

2011-06-10T12:18:54-07:00 xx.xxx local3.alert
SyslogAlertForwarder: 5550164157742579379;Signature;2011-06-10 12:18:27
PDT;ICMP: Nachi-like
Ping;0x40015500;Medium;icmp-nachi-ping;Low;san1cled050;2A-2B;142.104.46.154;0;74.125.155.147;0;Exploit;dos;Outbound;Blocked;signature;icmp;icmp;Unknown;N/A

The only way around this I can think of is to drive a command window and try to interpret the output. Anyone know how to do that? or know another way to ping reliably?

Cheers.

Share this post


Link to post
Share on other sites

This also seems like an easy thing to fix. How does one submit it to Autioit for fixing in the next rev?

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

This also seems like an easy thing to fix. How does one submit it to Autioit for fixing in the next rev?

What do you think is wrong in AutoIt3 ?

EDIT: AutoIt3 indeed is using a string of 0xAA 's but don't think that the payload is a prescribed string.

The data portion of the payload for ICMP and UDP ping may be a simple 'a-z' repeating character string or the contents of any file you choose (binary or ascii).

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

While the current ping() command works in most situations, I have just demonstrated that there are situations where it gets flagged as potentialy dangerous because it does not conform to current standards. If the Autoit developers change the packet to better conform to the standard (32 Bytes, wtih sequential alphabetical character payload), it would improve its ability to pass through protective safeguards.

So technically its not "broken", but could be "improved" in this regard. Just trying to assist in making a fantastic product that much better.

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

While the current ping() command works in most situations, I have just demonstrated that there are situations where it gets flagged as potentialy dangerous because it does not conform to current standards. If the Autoit developers change the packet to better conform to the standard (32 Bytes, wtih sequential alphabetical character payload), it would improve its ability to pass through protective safeguards.

So technically its not "broken", but could be "improved" in this regard. Just trying to assist in making a fantastic product that much better.

I made an edit, but what is the current standard?

When looking for it I find multiple standards used for the payload data portion of the PING packet.

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Thats a great question, and one I cant answer. I also dont know if the IPS System flagged on the payload or the byte count (I suspect the latter). I was presenting both options because it could have flagged on either. So you could be quite correct in the conclusion that the paylaod does not matter.

Should Autoit wish to test that hypothesis, I would be happy to help test.

Share this post


Link to post
Share on other sites

Tried to confirm that, but could only find this.

ICMP: Nachi Host Sweep (0x40015400) attack is defined by the ICMP: Nachi-like Ping (0x40015500) attack, a configurable threshold and a configurable time period.

In this context, IntruShield uses the concept of component attacks, (0x40015500) is such a component attack and is used with a threshold to trigger (0x40015400) as the correlated attack.

Source:

Dont know if thats any help. Appears the IPS is a Mcafee product.

Share this post


Link to post
Share on other sites

We encountered this exact same problem in our organization, so I had to resort to using a custom ICMP payload function within my AutoIt scripts based upon code from german AutoIt forums. Our network team enabled the McAfee IPS this week. Our network support staff worked directly with McAfee and I don't know the technical details but the bottom line was McAfee wasn't able to allow AutoIt's ping packets but at the same time still block Nachi-like activity - if they made an allowance for AutoIt's native pings then Nachi-like packets could still get through. So I had no choice but to send custom ICMP payloads from within AutoIt in order to mimic Windows' native ping payloads (I compared the native ping payloads of WinXP and Win7 and they were the exact same). Sure I could execute ping.exe but I opted to do this natively within AutoIt instead, for detailed error codes.

Some day, could it hurt if AutoIt sent pings the same way that Windows' natively does? Just a suggestion.

While troubleshooting this, I customized the ICMP payload to match the 32-byte length of Windows pings but still used repeating ª characters that AutoIt uses; this resulted in the McAfee IPS still blocking the packet... so it wasn't only a packet length issue, it was triggering on the repeating ª characters too.

I call the _PingLikeMicrosoft() function in the PingLikeMicrosoft.au3 include file below which contains an example at the top (sorry, wasn't able to figure out how to upload/attach content), which sends this payload: abcdefghijklmnopqrstuvwabcdefghi

In any case, thank you AutoIt team... *amazing* work. Cheers.

#cs
MIMIC MICROSOFT WINDOWS PING PAYLOADS
Original AutoIt source from German AutoIt forum:  (which was based on Visual Basic source below)
http://www.autoit.de/index.php?page=Thread&postID=57929
Original Visual Basic source:
http://vbnet.mvps.org/index.html?code/internet/ping.htm
MSDN - IcmpSendEcho function
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366050%28v=vs.85%29.aspx
AutoIt forum: Identical problem with McAfee IPS where it blocks AutoIt's own pings, which are seen as a Nachi-like attack:
http://www.autoitscript.com/forum/topic/129525-ping-help/

;#################
; EXAMPLE - begin
;#################
#include "PingLikeMicrosoft.au3"
$pingresult = _PingLikeMicrosoft("hostname.somewhere.com", 4000)
;  When the function fails, @error contains extended information:
;    1 = Host is offline
;    2 = Host is unreachable
;    3 = Bad destination
;    4 = Other errors
If @error Then
MsgBox(0, "Ping Result", "Failed" & @CRLF & "Error code: " & @extended)
Else
MsgBox(0, "Ping Result", "Success" & @CRLF & $pingresult & " milliseconds")
EndIf
Exit
;#################
; EXAMPLE - end
;#################
#ce
#include-once
#include <WinAPI.au3>
Global Const $IP_SUCCESS = 0
Global Const $IP_STATUS_BASE = 11000
Global Const $IP_BUF_TOO_SMALL = ($IP_STATUS_BASE + 1)
Global Const $IP_DEST_NET_UNREACHABLE = ($IP_STATUS_BASE + 2)
Global Const $IP_DEST_HOST_UNREACHABLE = ($IP_STATUS_BASE + 3)
Global Const $IP_DEST_PROT_UNREACHABLE = ($IP_STATUS_BASE + 4)
Global Const $IP_DEST_PORT_UNREACHABLE = ($IP_STATUS_BASE + 5)
Global Const $IP_NO_RESOURCES = ($IP_STATUS_BASE + 6)
Global Const $IP_BAD_OPTION = ($IP_STATUS_BASE + 7)
Global Const $IP_HW_ERROR = ($IP_STATUS_BASE + 8)
Global Const $IP_PACKET_TOO_BIG = ($IP_STATUS_BASE + 9)
Global Const $IP_REQ_TIMED_OUT = ($IP_STATUS_BASE + 10)
Global Const $IP_BAD_REQ = ($IP_STATUS_BASE + 11)
Global Const $IP_BAD_ROUTE = ($IP_STATUS_BASE + 12)
Global Const $IP_TTL_EXPIRED_TRANSIT = ($IP_STATUS_BASE + 13)
Global Const $IP_TTL_EXPIRED_REASSEM = ($IP_STATUS_BASE + 14)
Global Const $IP_PARAM_PROBLEM = ($IP_STATUS_BASE + 15)
Global Const $IP_SOURCE_QUENCH = ($IP_STATUS_BASE + 16)
Global Const $IP_OPTION_TOO_BIG = ($IP_STATUS_BASE + 17)
Global Const $IP_BAD_DESTINATION = ($IP_STATUS_BASE + 18)
Global Const $IP_ADDR_DELETED = ($IP_STATUS_BASE + 19)
Global Const $IP_SPEC_MTU_CHANGE = ($IP_STATUS_BASE + 20)
Global Const $IP_MTU_CHANGE = ($IP_STATUS_BASE + 21)
Global Const $IP_UNLOAD = ($IP_STATUS_BASE + 22)
Global Const $IP_ADDR_ADDED = ($IP_STATUS_BASE + 23)
Global Const $IP_GENERAL_FAILURE = ($IP_STATUS_BASE + 50)
Global Const $MAX_IP_STATUS = ($IP_STATUS_BASE + 50)
Global Const $IP_PENDING = ($IP_STATUS_BASE + 255)
Global Const $PING_TIMEOUT = 500
Global Const $WS_VERSION_REQD = 0x101
Global Const $MIN_SOCKETS_REQD = 1
Global Const $SOCKET_ERROR = -1
Global Const $INADDR_NONE = 0xFFFFFFFF
Global Const $MAX_WSADescription = 256
Global Const $MAX_WSASYSStatus = 128
If @AutoItX64 Then Exit 0 * MsgBox(16, @ScriptName & " - Error", "ICMP structures only designed for 32-Bit Version")
Global Const $ICMP_OPTIONS = _
"ubyte Ttl;" & _
"ubyte Tos;" & _
"ubyte Flags;" & _
"ubyte OptionsSize;" & _
"ptr OptionsData" ; Options Data
Global Const $tagICMP_ECHO_REPLY = _
"ulong Address;" & _ ; IPAddr
"ulong Status;" & _
"ULONG RoundTripTime;" & _
"USHORT DataSize;" & _
"USHORT Reserved;" & _
"ptr Data;" & _
$ICMP_OPTIONS
Func _IcmpCustomPayload($sAddress, $sDataToSend, ByRef $ECHO, $PING_TIMEOUT = 4000) ; ECHO As ICMP_ECHO_REPLY
; $ECHO receives an ICMP_ECHO_REPLY on success
; by Prog@ndy, used VBSource from http://vbnet.mvps.org/index.html?code/internet/ping.htm
; on success return 1 , else 0
Local $return = 0, $error = 0
;~   'If Ping succeeds :
;~   '.RoundTripTime = time in ms for the ping to complete,
;~   '.Data is the data returned (NULL terminated)
;~   '.Address is the Ip address that actually replied
;~   '.DataSize is the size of the string in .Data
;~   '.Status will be 0
;~   '
;~   'If Ping fails .Status will be the error code
Local $WSOCK32DLL = DllOpen("wsock32.dll")
; use Icmp.dll for: Windows 2000 Server and Windows 2000 Professional
;Local $ICMPDLL = DllOpen("icmp.dll")
; use Iphlpapi.dll for: Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP
Local $ICMPDLL = DllOpen("Iphlpapi.dll")
Local $hPort ;As Long
Local $dwAddress ;As Long
Local $INADDR_NONE = -1
If Not StringRegExp($sAddress,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") Then
  TCPStartup()
  $sAddress = TCPNameToIP($sAddress)
  TCPShutdown()
EndIf
;~   'convert the address into a long representation
$dwAddress = DllCall($WSOCK32DLL, "uint", "inet_addr", "str", $sAddress)
$dwAddress = $dwAddress[0]
;~   'if a valid address..
If $dwAddress <> $INADDR_NONE Or $sAddress = "255.255.255.255" Then
  ;~  'open a port
  $hPort = DllCall($ICMPDLL, "hwnd", "IcmpCreateFile")
  $hPort = $hPort[0]
  ;~  'and if successful,
  If $hPort Then
   $ECHO = DllStructCreate($tagICMP_ECHO_REPLY & ";char[355]")
   ;~    'ping it.
   Local $ret = _IcmpSendEcho($hPort, _
    $dwAddress, _
    $sDataToSend, _
    StringLen($sDataToSend), _
    0, _
    DllStructGetPtr($ECHO), _
    DllStructGetSize($ECHO), _
    $PING_TIMEOUT, _
    $ICMPDLL)
   ;~    'return the status as ping succes and close
   $error = DllStructGetData($ECHO, "Status")
   If $error = $IP_SUCCESS Then $return = 1
   DllCall($ICMPDLL, "uint", "IcmpCloseHandle", "hwnd", $hPort)
  EndIf
Else
  ;~     'the address format was probably invalid
  $return = 0
  $error = $INADDR_NONE
EndIf
DllClose($WSOCK32DLL)
DllClose($ICMPDLL)
Return SetError($error, 0, $return)
EndFunc   ;==>_IcmpCustomPayload
; by BugFix, modified by Prog@ndy
; für 1000 < @error < 1004 is der error von Dllcall. Die DllCall-Fehlernummer ist dabei @error/1000
Func _IcmpSendEcho($IcmpHandle, $DestinationAddress, $RequestData, $RequestSize, $RequestOptions, $ReplyBuffer, $ReplySize, $Timeout, $ICMPDLL = "icmp.dll")
Local $ret = DllCall($ICMPDLL, "dword", "IcmpSendEcho", _
  "hwnd", $IcmpHandle, _
  "uint", $DestinationAddress, _
  "str", $RequestData, _
  "dword", $RequestSize, _
  "ptr", $RequestOptions, _
  "ptr", $ReplyBuffer, _
  "dword", $ReplySize, _
  "dword", $Timeout)
If @error Then Return SetError(@error+1000, 0, 0)
Return $ret[0]
EndFunc   ;==>_IcmpSendEcho
 
Func _PingLikeMicrosoft($DestinationAddress, $Timeout = 4000)
; function created by CUNNINGT
Local $ECHORet
; mimic AutoIt's ping payload, 36 byte payload = FAILED - blocked by IPS and ping timeout
;Local $pingSucess = _IcmpCustomPayload($DestinationAddress, "ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª", $ECHORet, $Timeout)
; mimic AutoIt's ping payload, but 32 byte payload like Microsoft's length = FAILED - blocked by IPS and ping timeout
;Local $pingSucess = _IcmpCustomPayload($DestinationAddress, "ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª", $ECHORet, $Timeout)
; mimic Windows' ping payload, 32 bytes = SUCCESS - not blocked by IPS
Local $pingSucess = _IcmpCustomPayload($DestinationAddress, "abcdefghijklmnopqrstuvwabcdefghi", $ECHORet, $Timeout)
If @error Then
  Switch @error
   Case $IP_REQ_TIMED_OUT
    Return SetError(1, 1)
   Case $IP_DEST_HOST_UNREACHABLE
    Return SetError(1, 2)
   Case $IP_BAD_DESTINATION
    Return SetError(1, 3)
   Case Else
    Return SetError(1, 4)
  EndSwitch
Else
  Return DllStructGetData($ECHORet, "RoundTripTime")
EndIf
#cs
Func _DecIPToString($DecIP)
  Local $IPString =  DllCall("ws2_32.dll","str","inet_ntoa", "uint",$DecIP)
  If @error Then Return SetError(1,"0.0.0.0")
  Return $IPString[0]
EndFunc
$returnedText = DllStructCreate("char[" & DllStructGetData($ECHORet, "DataSize") & "]", DllStructGetData($ECHORet, "Data"))
MsgBox(0, 'Ping results' , "The ping was successful: " & ($pingSucess=1) & @CRLF & _
"The destination IP was: " & _DecIPToString(DllStructGetData($ECHORet, "Address")) & @CRLF & _
"The ping time was: " & DllStructGetData($ECHORet, "RoundTripTime") & " ms" & @CRLF & _
"The transmitted data (String): " & DllStructGetData($returnedText, 1))
#ce
EndFunc   ;==>_PingLikeMicrosoft

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0