ihousden Posted June 8, 2011 Share Posted June 8, 2011 Hi all. I cant get ping to work anywhere outside my network. Here is my test script. Dim $PingTarget = "yahoo.ca" Dim $Ping $Ping = ping ($PingTarget) Select case @error = 1 ConsoleWrite(@LF & "--> Ping of " & $PingTarget & " result: Offline" & @LF & @LF) Case @error = 2 ConsoleWrite(@LF & "--> Ping of " & $PingTarget & " result: Unreachable" & @LF & @LF) Case @error = 3 ConsoleWrite(@LF & "--> Ping of " & $PingTarget & " result: Bad destination" & @LF & @LF) Case @error = 4 ConsoleWrite(@LF & "--> Ping of " & $PingTarget & " result: Other errors" & @LF & @LF) Case Else ConsoleWrite(@LF & "--> Ping of " & $PingTarget & " result: " & $Ping & @LF & @LF) EndSelect Exit Here is its output >"C:\Program Files (x86)\AutoIt3\SciTE\..\autoit3.exe" /ErrorStdOut "C:\Users\ihousden\Documents\Dropbox\AutoIt\Functionality snippets\Ping.au3" --> Ping of yahoo.ca result: Offline >Exit code: 0 Time: 4.084 Here is the dos window output on the same machine. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\ihousden>ping yahoo.ca Pinging yahoo.ca [68.180.206.184] with 32 bytes of data: Reply from 68.180.206.184: bytes=32 time=41ms TTL=51 Reply from 68.180.206.184: bytes=32 time=38ms TTL=51 Reply from 68.180.206.184: bytes=32 time=38ms TTL=51 Reply from 68.180.206.184: bytes=32 time=38ms TTL=51 Ping statistics for 68.180.206.184: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 38ms, Maximum = 41ms, Average = 38ms C:\Users\ihousden> I tried it from my laptop with the same result. Firewall has been disabled. I can however ping my gateway and DNS servers with the script, just nothing offsite (no issue if done from dos window). ICMP statement in ACL seems fine too. ! secure ICMP traffic permit icmp any any echo permit icmp any any echo-reply permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any unreachable deny icmp any any log Im running out of ideas. Anyone know what the issue is? Does the Ping command use a cyberkit ping? Is there an alternate way to ping I can try? Thanks all. Link to comment Share on other sites More sharing options...
UEZ Posted June 8, 2011 Share Posted June 8, 2011 Strange, for me your code is working. I get roundtrip-time properly. Br, UEZ Please don't send me any personal message and ask for support! I will not reply! Selection of finest graphical examples at Codepen.io The own fart smells best! ✌Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!¯\_(ツ)_/¯ ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ Link to comment Share on other sites More sharing options...
ihousden Posted June 8, 2011 Author Share Posted June 8, 2011 Thanks for the reply UEZ. Since it works inside my network, im fairly certain that its the ACL but I cant figure out why its not being let back in. The "permit icmp any any echo-reply" should be permitting it, unless its not sending a typical ping packet (ie: cyberkit ping packet or similar). Cheers Link to comment Share on other sites More sharing options...
UEZ Posted June 8, 2011 Share Posted June 8, 2011 You can try to add #RequireAdmin to your script if it is an ACL issue.Br,UEZ Please don't send me any personal message and ask for support! I will not reply! Selection of finest graphical examples at Codepen.io The own fart smells best! ✌Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!¯\_(ツ)_/¯ ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ Link to comment Share on other sites More sharing options...
ihousden Posted June 8, 2011 Author Share Posted June 8, 2011 Not sure what that is, but ill look into it to see how it works. Thanks UEZ. Link to comment Share on other sites More sharing options...
ihousden Posted June 8, 2011 Author Share Posted June 8, 2011 No change UEZ. The command window works fine without elivated rights so I doubt its a rights issue. I still think the ping packet is non standard in some way, and getting blocked by the ACL. At least that seems the most probable from my perspective. Link to comment Share on other sites More sharing options...
kevinward13 Posted June 8, 2011 Share Posted June 8, 2011 drop a sniffer on the your PC and a test machine inside your network and watch the pings from normal cmd and then from autoit and that should get you your answer as to the different packet. What to do with it....dunno. Link to comment Share on other sites More sharing options...
ihousden Posted June 9, 2011 Author Share Posted June 9, 2011 Tried while my VPN to home was up and it works great (ruling out PC configuration/firewall issue). Seems to be a local network issue. Calling in the network guys for some assistance. I will post solution if found, in case anyone else has a similar issue. Link to comment Share on other sites More sharing options...
zac23 Posted June 9, 2011 Share Posted June 9, 2011 Just a warning, i wouldn't call your exe 'Ping.exe" when you compile this script, it will override the one in sys32 Link to comment Share on other sites More sharing options...
ihousden Posted June 10, 2011 Author Share Posted June 10, 2011 Good point Zac. Ill keep that in mind.. OK, so here is what I found so far: Scripted Ping: 00000000 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ........ ........ 00000010 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ........ ........ 00000020 AA AA AA AA .... Command Line Ping: 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi 00000000 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefgh ijklmnop 00000010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwa bcdefghi Note: There was no return from the scripted ping, and four sends & recieves from the command line ping. Scripted ping packet contains 36 Bytes of data consisting of A`s. Command line pings packet contains 32 Bytes of data consisting of sequential alphabetical characters. Still not sure why its being blocked by our cisco acls but will post when I find out. Cheers Link to comment Share on other sites More sharing options...
ihousden Posted June 10, 2011 Author Share Posted June 10, 2011 Well it turns out that the IPS system was blocking it. 2011-06-10T12:18:54-07:00 xx.xxx local3.alert SyslogAlertForwarder: 5550164157742579379;Signature;2011-06-10 12:18:27 PDT;ICMP: Nachi-like Ping;0x40015500;Medium;icmp-nachi-ping;Low;san1cled050;2A-2B;142.104.46.154;0;74.125.155.147;0;Exploit;dos;Outbound;Blocked;signature;icmp;icmp;Unknown;N/A The only way around this I can think of is to drive a command window and try to interpret the output. Anyone know how to do that? or know another way to ping reliably? Cheers. Link to comment Share on other sites More sharing options...
ihousden Posted June 10, 2011 Author Share Posted June 10, 2011 This also seems like an easy thing to fix. How does one submit it to Autioit for fixing in the next rev? Link to comment Share on other sites More sharing options...
Developers Jos Posted June 10, 2011 Developers Share Posted June 10, 2011 (edited) This also seems like an easy thing to fix. How does one submit it to Autioit for fixing in the next rev?What do you think is wrong in AutoIt3 ?EDIT: AutoIt3 indeed is using a string of 0xAA 's but don't think that the payload is a prescribed string.The data portion of the payload for ICMP and UDP ping may be a simple 'a-z' repeating character string or the contents of any file you choose (binary or ascii). Edited June 10, 2011 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
ihousden Posted June 10, 2011 Author Share Posted June 10, 2011 While the current ping() command works in most situations, I have just demonstrated that there are situations where it gets flagged as potentialy dangerous because it does not conform to current standards. If the Autoit developers change the packet to better conform to the standard (32 Bytes, wtih sequential alphabetical character payload), it would improve its ability to pass through protective safeguards. So technically its not "broken", but could be "improved" in this regard. Just trying to assist in making a fantastic product that much better. Link to comment Share on other sites More sharing options...
Developers Jos Posted June 10, 2011 Developers Share Posted June 10, 2011 (edited) While the current ping() command works in most situations, I have just demonstrated that there are situations where it gets flagged as potentialy dangerous because it does not conform to current standards. If the Autoit developers change the packet to better conform to the standard (32 Bytes, wtih sequential alphabetical character payload), it would improve its ability to pass through protective safeguards. So technically its not "broken", but could be "improved" in this regard. Just trying to assist in making a fantastic product that much better.I made an edit, but what is the current standard?When looking for it I find multiple standards used for the payload data portion of the PING packet. Edited June 10, 2011 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
ihousden Posted June 10, 2011 Author Share Posted June 10, 2011 Thats a great question, and one I cant answer. I also dont know if the IPS System flagged on the payload or the byte count (I suspect the latter). I was presenting both options because it could have flagged on either. So you could be quite correct in the conclusion that the paylaod does not matter. Should Autoit wish to test that hypothesis, I would be happy to help test. Link to comment Share on other sites More sharing options...
Developers Jos Posted June 10, 2011 Developers Share Posted June 10, 2011 Seems that the Nachi virus blocking rules test just for an ICMP packet with a size of 92. SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
ihousden Posted June 10, 2011 Author Share Posted June 10, 2011 Tried to confirm that, but could only find this.ICMP: Nachi Host Sweep (0x40015400) attack is defined by the ICMP: Nachi-like Ping (0x40015500) attack, a configurable threshold and a configurable time period. In this context, IntruShield uses the concept of component attacks, (0x40015500) is such a component attack and is used with a threshold to trigger (0x40015400) as the correlated attack.Source:Dont know if thats any help. Appears the IPS is a Mcafee product. Link to comment Share on other sites More sharing options...
cunningt Posted October 27, 2011 Share Posted October 27, 2011 We encountered this exact same problem in our organization, so I had to resort to using a custom ICMP payload function within my AutoIt scripts based upon code from german AutoIt forums. Our network team enabled the McAfee IPS this week. Our network support staff worked directly with McAfee and I don't know the technical details but the bottom line was McAfee wasn't able to allow AutoIt's ping packets but at the same time still block Nachi-like activity - if they made an allowance for AutoIt's native pings then Nachi-like packets could still get through. So I had no choice but to send custom ICMP payloads from within AutoIt in order to mimic Windows' native ping payloads (I compared the native ping payloads of WinXP and Win7 and they were the exact same). Sure I could execute ping.exe but I opted to do this natively within AutoIt instead, for detailed error codes. Some day, could it hurt if AutoIt sent pings the same way that Windows' natively does? Just a suggestion. While troubleshooting this, I customized the ICMP payload to match the 32-byte length of Windows pings but still used repeating ª characters that AutoIt uses; this resulted in the McAfee IPS still blocking the packet... so it wasn't only a packet length issue, it was triggering on the repeating ª characters too. I call the _PingLikeMicrosoft() function in the PingLikeMicrosoft.au3 include file below which contains an example at the top (sorry, wasn't able to figure out how to upload/attach content), which sends this payload: abcdefghijklmnopqrstuvwabcdefghi In any case, thank you AutoIt team... *amazing* work. Cheers. expandcollapse popup#cs MIMIC MICROSOFT WINDOWS PING PAYLOADS Original AutoIt source from German AutoIt forum: (which was based on Visual Basic source below) http://www.autoit.de/index.php?page=Thread&postID=57929 Original Visual Basic source: http://vbnet.mvps.org/index.html?code/internet/ping.htm MSDN - IcmpSendEcho function http://msdn.microsoft.com/en-us/library/windows/desktop/aa366050%28v=vs.85%29.aspx AutoIt forum: Identical problem with McAfee IPS where it blocks AutoIt's own pings, which are seen as a Nachi-like attack: http://www.autoitscript.com/forum/topic/129525-ping-help/ ;################# ; EXAMPLE - begin ;################# #include "PingLikeMicrosoft.au3" $pingresult = _PingLikeMicrosoft("hostname.somewhere.com", 4000) ; When the function fails, @error contains extended information: ; 1 = Host is offline ; 2 = Host is unreachable ; 3 = Bad destination ; 4 = Other errors If @error Then MsgBox(0, "Ping Result", "Failed" & @CRLF & "Error code: " & @extended) Else MsgBox(0, "Ping Result", "Success" & @CRLF & $pingresult & " milliseconds") EndIf Exit ;################# ; EXAMPLE - end ;################# #ce #include-once #include <WinAPI.au3> Global Const $IP_SUCCESS = 0 Global Const $IP_STATUS_BASE = 11000 Global Const $IP_BUF_TOO_SMALL = ($IP_STATUS_BASE + 1) Global Const $IP_DEST_NET_UNREACHABLE = ($IP_STATUS_BASE + 2) Global Const $IP_DEST_HOST_UNREACHABLE = ($IP_STATUS_BASE + 3) Global Const $IP_DEST_PROT_UNREACHABLE = ($IP_STATUS_BASE + 4) Global Const $IP_DEST_PORT_UNREACHABLE = ($IP_STATUS_BASE + 5) Global Const $IP_NO_RESOURCES = ($IP_STATUS_BASE + 6) Global Const $IP_BAD_OPTION = ($IP_STATUS_BASE + 7) Global Const $IP_HW_ERROR = ($IP_STATUS_BASE + 8) Global Const $IP_PACKET_TOO_BIG = ($IP_STATUS_BASE + 9) Global Const $IP_REQ_TIMED_OUT = ($IP_STATUS_BASE + 10) Global Const $IP_BAD_REQ = ($IP_STATUS_BASE + 11) Global Const $IP_BAD_ROUTE = ($IP_STATUS_BASE + 12) Global Const $IP_TTL_EXPIRED_TRANSIT = ($IP_STATUS_BASE + 13) Global Const $IP_TTL_EXPIRED_REASSEM = ($IP_STATUS_BASE + 14) Global Const $IP_PARAM_PROBLEM = ($IP_STATUS_BASE + 15) Global Const $IP_SOURCE_QUENCH = ($IP_STATUS_BASE + 16) Global Const $IP_OPTION_TOO_BIG = ($IP_STATUS_BASE + 17) Global Const $IP_BAD_DESTINATION = ($IP_STATUS_BASE + 18) Global Const $IP_ADDR_DELETED = ($IP_STATUS_BASE + 19) Global Const $IP_SPEC_MTU_CHANGE = ($IP_STATUS_BASE + 20) Global Const $IP_MTU_CHANGE = ($IP_STATUS_BASE + 21) Global Const $IP_UNLOAD = ($IP_STATUS_BASE + 22) Global Const $IP_ADDR_ADDED = ($IP_STATUS_BASE + 23) Global Const $IP_GENERAL_FAILURE = ($IP_STATUS_BASE + 50) Global Const $MAX_IP_STATUS = ($IP_STATUS_BASE + 50) Global Const $IP_PENDING = ($IP_STATUS_BASE + 255) Global Const $PING_TIMEOUT = 500 Global Const $WS_VERSION_REQD = 0x101 Global Const $MIN_SOCKETS_REQD = 1 Global Const $SOCKET_ERROR = -1 Global Const $INADDR_NONE = 0xFFFFFFFF Global Const $MAX_WSADescription = 256 Global Const $MAX_WSASYSStatus = 128 If @AutoItX64 Then Exit 0 * MsgBox(16, @ScriptName & " - Error", "ICMP structures only designed for 32-Bit Version") Global Const $ICMP_OPTIONS = _ "ubyte Ttl;" & _ "ubyte Tos;" & _ "ubyte Flags;" & _ "ubyte OptionsSize;" & _ "ptr OptionsData" ; Options Data Global Const $tagICMP_ECHO_REPLY = _ "ulong Address;" & _ ; IPAddr "ulong Status;" & _ "ULONG RoundTripTime;" & _ "USHORT DataSize;" & _ "USHORT Reserved;" & _ "ptr Data;" & _ $ICMP_OPTIONS Func _IcmpCustomPayload($sAddress, $sDataToSend, ByRef $ECHO, $PING_TIMEOUT = 4000) ; ECHO As ICMP_ECHO_REPLY ; $ECHO receives an ICMP_ECHO_REPLY on success ; by Prog@ndy, used VBSource from http://vbnet.mvps.org/index.html?code/internet/ping.htm ; on success return 1 , else 0 Local $return = 0, $error = 0 ;~ 'If Ping succeeds : ;~ '.RoundTripTime = time in ms for the ping to complete, ;~ '.Data is the data returned (NULL terminated) ;~ '.Address is the Ip address that actually replied ;~ '.DataSize is the size of the string in .Data ;~ '.Status will be 0 ;~ ' ;~ 'If Ping fails .Status will be the error code Local $WSOCK32DLL = DllOpen("wsock32.dll") ; use Icmp.dll for: Windows 2000 Server and Windows 2000 Professional ;Local $ICMPDLL = DllOpen("icmp.dll") ; use Iphlpapi.dll for: Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP Local $ICMPDLL = DllOpen("Iphlpapi.dll") Local $hPort ;As Long Local $dwAddress ;As Long Local $INADDR_NONE = -1 If Not StringRegExp($sAddress,"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") Then TCPStartup() $sAddress = TCPNameToIP($sAddress) TCPShutdown() EndIf ;~ 'convert the address into a long representation $dwAddress = DllCall($WSOCK32DLL, "uint", "inet_addr", "str", $sAddress) $dwAddress = $dwAddress[0] ;~ 'if a valid address.. If $dwAddress <> $INADDR_NONE Or $sAddress = "255.255.255.255" Then ;~ 'open a port $hPort = DllCall($ICMPDLL, "hwnd", "IcmpCreateFile") $hPort = $hPort[0] ;~ 'and if successful, If $hPort Then $ECHO = DllStructCreate($tagICMP_ECHO_REPLY & ";char[355]") ;~ 'ping it. Local $ret = _IcmpSendEcho($hPort, _ $dwAddress, _ $sDataToSend, _ StringLen($sDataToSend), _ 0, _ DllStructGetPtr($ECHO), _ DllStructGetSize($ECHO), _ $PING_TIMEOUT, _ $ICMPDLL) ;~ 'return the status as ping succes and close $error = DllStructGetData($ECHO, "Status") If $error = $IP_SUCCESS Then $return = 1 DllCall($ICMPDLL, "uint", "IcmpCloseHandle", "hwnd", $hPort) EndIf Else ;~ 'the address format was probably invalid $return = 0 $error = $INADDR_NONE EndIf DllClose($WSOCK32DLL) DllClose($ICMPDLL) Return SetError($error, 0, $return) EndFunc ;==>_IcmpCustomPayload ; by BugFix, modified by Prog@ndy ; für 1000 < @error < 1004 is der error von Dllcall. Die DllCall-Fehlernummer ist dabei @error/1000 Func _IcmpSendEcho($IcmpHandle, $DestinationAddress, $RequestData, $RequestSize, $RequestOptions, $ReplyBuffer, $ReplySize, $Timeout, $ICMPDLL = "icmp.dll") Local $ret = DllCall($ICMPDLL, "dword", "IcmpSendEcho", _ "hwnd", $IcmpHandle, _ "uint", $DestinationAddress, _ "str", $RequestData, _ "dword", $RequestSize, _ "ptr", $RequestOptions, _ "ptr", $ReplyBuffer, _ "dword", $ReplySize, _ "dword", $Timeout) If @error Then Return SetError(@error+1000, 0, 0) Return $ret[0] EndFunc ;==>_IcmpSendEcho Func _PingLikeMicrosoft($DestinationAddress, $Timeout = 4000) ; function created by CUNNINGT Local $ECHORet ; mimic AutoIt's ping payload, 36 byte payload = FAILED - blocked by IPS and ping timeout ;Local $pingSucess = _IcmpCustomPayload($DestinationAddress, "ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª", $ECHORet, $Timeout) ; mimic AutoIt's ping payload, but 32 byte payload like Microsoft's length = FAILED - blocked by IPS and ping timeout ;Local $pingSucess = _IcmpCustomPayload($DestinationAddress, "ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª", $ECHORet, $Timeout) ; mimic Windows' ping payload, 32 bytes = SUCCESS - not blocked by IPS Local $pingSucess = _IcmpCustomPayload($DestinationAddress, "abcdefghijklmnopqrstuvwabcdefghi", $ECHORet, $Timeout) If @error Then Switch @error Case $IP_REQ_TIMED_OUT Return SetError(1, 1) Case $IP_DEST_HOST_UNREACHABLE Return SetError(1, 2) Case $IP_BAD_DESTINATION Return SetError(1, 3) Case Else Return SetError(1, 4) EndSwitch Else Return DllStructGetData($ECHORet, "RoundTripTime") EndIf #cs Func _DecIPToString($DecIP) Local $IPString = DllCall("ws2_32.dll","str","inet_ntoa", "uint",$DecIP) If @error Then Return SetError(1,"0.0.0.0") Return $IPString[0] EndFunc $returnedText = DllStructCreate("char[" & DllStructGetData($ECHORet, "DataSize") & "]", DllStructGetData($ECHORet, "Data")) MsgBox(0, 'Ping results' , "The ping was successful: " & ($pingSucess=1) & @CRLF & _ "The destination IP was: " & _DecIPToString(DllStructGetData($ECHORet, "Address")) & @CRLF & _ "The ping time was: " & DllStructGetData($ECHORet, "RoundTripTime") & " ms" & @CRLF & _ "The transmitted data (String): " & DllStructGetData($returnedText, 1)) #ce EndFunc ;==>_PingLikeMicrosoft Irios 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now