Hping3 Examples

Hping3 examples
24 Replies
How to test the rules of your firewall by example using hping3.
In this how to I will be showing you a few ways you can test your firewall to see what is allowed
and what is not. I will be testing the rules of a WRT54G v2 router with the newest Linksys
firmware. These tests will be from the WAN since testing from the LAN would not be practical
to someone trying to get through the perimeter.
The process in which we want to take is to first determine if something is actually at the ip
address, second can we determine what is at the other end, and finally are there any open
ports.
Let us start by simply sending a icmp echo command and see if we get a reply.
hping3 -c 1 -V -I eth0 -1 208.81.226.42
-c = count
-V = verbose
-I = Network Interface to use
-1 = ICMP packet
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): icmp mode set, 28 headers + 0 data bytes
208.81.226.42 hping statistic
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
No reply! Good so the router is not responding to pings from the WAN. So how do we even
know if anything is actually at that ip address? What if we tried to do a half-open SYN
connection to the http port (80). Since most routers have an admin login (sometimes allowing
remote login from the web). Issue the following command:
hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 208.81.226.42
-s = source port
-p = destination port
-S = set the SYN flag in the packet
root@Ububox:/# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 208.81.226.42
HPING 208.81.226.42 (eth0 208.81.226.42): S set, 40 headers + 0 data bytes
From the result we still get no reply. Now lets try a little test of no flags which is called a null
scan and we will see later that hping3 has an option built in for it. If it works and something is
there we should get a RST packet back. Type the following hping3 command:
hping3 -c 1 -V -I eth0 -s 8765 -p 80 208.81.226.42
root@Ububox:/# hping3 -c 1 -V -I eth0 -s 8765 -p 80 208.81.226.42
HPING 208.81.226.42 (eth0 208.81.226.42): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=208.81.226.42 ttl=127 id=0 tos=0 iplen=40
sport=80 flags=RA seq=0 win=0 rtt=1.0 ms
seq=0 ack=1069346811 sum=fb6c urp=0
Success! We got a RST+ACK packet sent back to us. So now we know for sure something is
at the ip-address, but was this a fluke? Will the same result happen to a port that might not
exist (port 3486). Lets run the same test using a different non existing (hopefully) port. So
change the -p 80 to -p 3486 and lets see what happens.
hping3 -c 1 -V -I eth0 -s 8765 -p 3486 208.81.226.42
Same result we get a RST+ACK back again. So now what? We have made sure that some
kind of equipment is there and it does respond. Lets move on to another kind of test we will
come back to the port testing later. Lets see what happens when we do a icmp timestamp
request (icmp type 13).
hping3 -c 1 -V -I eth0 -1 -C 13 208.81.226.42
-1 = icmp packet
-C 13 = icmp type 13 (timestamp)
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 -C 13 208.81.226.42
No luck there. If it would of succeeded you would seen the exact time set on the remote
host. Most routers/firewalls these days will not respond to these but at this point we do not
know the type of equipment sitting at the other end so you never know so at least give it a try.
Next will try the icmp address subnet mask test. What we hope will happen is this. We send
the packet the remote end replies back with the subnet mask for the local network. (the more
we know is better)
hping3 -c 1 -V -I eth0 -1 -C 17 208.81.226.42
-C 17 = icmp address mask
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 -C 17 208.81.226.42
No response from this either. I was not expecting this to work, but again you dont know till
your try. Now lets return to the port testing procedures and lets try testing using the different
types of flags being set in the packet. The first one we will try is the FIN flag. In a TCP
connection the FIN flag is used to start the connection closing routine.
hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 208.81.226.42
-F = set FIN flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 208.81.226.42
HPING 208.81.226.42 (eth0 208.81.226.42): F set, 40 headers + 0 data bytes
seq=0 ack=1790142628 sum=76c9 urp=0
We received a RST+ACK back. What we are wanting to see with this scan is not a reply back
from the ip if we do not receive a reply then that port will be open. If you firewall rules are
working correctly though it should send a RST+ACK back even if the port is open.
So now lets move on to the next flag to set. This next one will be using the ACK flag. Using
the ACK flag in a probe will help us determine if a host is at the ip we are probing. If the host is
not responding to pings from the outside then you can use the ACK flag to probe a port that is
most likely open (aka 80,8080).
hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 208.81.226.42
-A = Set ack flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 208.81.226.42
HPING 208.81.226.42 (eth0 208.81.226.42): A set, 40 headers + 0 data bytes
seq=559274943 ack=2094401506 sum=e61a urp=0
We are looking for a RST packet to be sent back from the host. In this example we did receive
a packet back and so we know that there is something at that ip.
Next scan to be used is known as the XMAS scan. What this does is set the seqence number
to zero and set the URG + PSH + FIN flags in the packet.
hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -M 0 -UPF 208.81.226.42
-M 0 = set sequence number to zero
-U = set URG flag
-P = set PUSH flag
-F = set FIN flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -M 0 -UPF 208.81.226.42
HPING 208.81.226.42 (eth0 208.81.226.42): FPU set, 40 headers + 0 data bytes
seq=0 ack=1 sum=727d urp=0
If the target devices TCP port is closed, the target device sends a TCP RST packet in reply. If
the target devices TCP port is open, the target discards the TCP XMAS scan, sending no
reply. Only if the firewall rules have not been configured to block this type of scan.
The next and final example of this how to will show you the NULL scan. What this scan does is
set the sequence number to zero and have no flags set in the packet.
hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -Y 208.81.226.42
-Y = Null scan
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -Y 208.81.226.42
HPING 208.81.226.42 (eth0 208.81.226.42): Y set, 40 headers + 0 data bytes
seq=0 ack=1350561991 sum=2c3c urp=0
If the target devices TCP port is closed, the target device sends a TCP RST packet in reply. If
the target devices TCP port is open, the target discards the TCP NULL scan, sending no reply.
I hope you have learned a thing or two about using hping3 from these examples. Hping3 is a
great tool to have handy if you need to test security of your firewall(s) or IDS systems. So just
play around with the different flags being set or the different icmp or udp packets. Different
operating systems respond differently depending on the rules set so try different combonations
of the flags and use tcpdump to see the whole packets being sent and received. I will have
more examples using hping3 in later articles so stay tuned and have fun.

Hping3 Examples

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Hping3 Examples

Încărcat de

Drepturi de autor:

Formate disponibile

Hping3 examples

S-ar putea să vă placă și