Documente Academic
Documente Profesional
Documente Cultură
Please use all the examples in a test environment and with care.
Some examples may actually slow down or crash firewalls or end systems.
or
2. Idle scanning
Idle scanning is a technique to portscan a remote system fully
anonymous. The technique is described in the docs section of the
distribution of HPING, and a implementation is available in NMAP.
To IDLE scan a system, some requirements must be met.
...
If we run a continuous probe against the silent host, and the attacker
scans the server, spoofed with the IP address of the silent host, the
following will happen.
If we scan an open port with a SYN packet, the server will respond with
a SYN/ACK packet (to the Silent host). The Silent host will react by
sending a RESET packet to the server, and will of course increase the
IP_ID by one (because he sends a packet). The next probe we sent will
have the next IP_ID in return. (2 units higher then the previous
probe).
If we sent a SYN packet to a closed port, a RST is sent to the Silent
host, which does not imply sending any packet from the silent host
(IP_ID is not increased), since it will be discarded.
It is indeed a good idea to run a tcpdump, to see what actually
happens.
The interesting part is that, we can use any TCP/UDP port or ICMP
message to probe as opposed to the traceroute utility. This example is
functionally the same as the techniques Firewalk uses.
The example above is actually running through a high-end firewall
solution.
C:\WINNT>netstat -n -p tcp
Active Connections
on the other site you must ‘sign’ the packet, with the signature used
at the receiving site.
--file /etc/passwd
As you can see the SSH daemon is resetting the packets (they are
considered out of state for receiving TCP/IP stack). Hping apparently
does not care about this.
[root@localhost root]# tcpdump -nX -i eth0 not host 192.168.10.33
tcpdump: listening on eth0
15:19:13.139211 192.168.10.66.1890 > 192.168.10.44.ssh: . 1656044390:1656044490(100) win
512
0x0000 4500 008c adf4 0000 4006 36b9 c0a8 0a42 E.......@.6....B
0x0010 c0a8 0a2c 0762 0016 62b5 3b66 621e a8c4 ...,.b..b.;fb...
0x0020 5000 0200 dc52 0000 7369 676e 6174 7572 P....R..signatur
0x0030 6572 6f6f 743a 783a 303a 303a 726f 6f74 eroot:x:0:0:root
0x0040 3a2f 726f 6f74 3a2f 6269 6e2f 6261 7368 :/root:/bin/bash
0x0050 0a64 .d
15:19:13.139456 192.168.10.44.1203 > 192.168.10.66.ssh: . 476330230:476330247(17) win 512
0x0000 4500 0039 0001 0000 4006 e4ff c0a8 0a2c E..9....@......,
0x0010 c0a8 0a42 04b3 0016 1c64 38f6 3c51 4139 ...B.....d8.<QA9
0x0020 5000 0200 28a7 0000 6572 7574 616e 6769 P...(...erutangi
0x0030 7301 0000 0000 0100 00 s........
15:19:13.139780 192.168.10.66.ssh > 192.168.10.44.1203: R 0:0(0) ack 476330247 win 0 (DF)
0x0000 4500 0028 0000 4000 4006 a511 c0a8 0a42 E..(..@.@......B
0x0010 c0a8 0a2c 0016 04b3 0000 0000 1c64 3907 ...,.........d9.
0x0020 5014 0000 bfdd 0000 7369 676e 6174 P.......signat
15:19:14.133675 192.168.10.66.1891 > 192.168.10.44.ssh: .1613394178:1613394278(100) win
512
0x0000 4500 008c 0001 0000 4006 e4ac c0a8 0a42 E.......@......B
0x0010 c0a8 0a2c 0763 0016 602a 7102 50ec 5271 ...,.c..`*q.P.Rq
0x0020 5000 0200 10c6 0000 7369 676e 6174 7572 P.......signatur
0x0030 6572 6f6f 743a 783a 303a 303a 726f 6f74 eroot:x:0:0:root
0x0040 3a2f 726f 6f74 3a2f 6269 6e2f 6261 7368 :/root:/bin/bash
0x0050 0a64 .d
The next example is crafted with the SYN and ACK bit set.
This could be a way to create a full duplex channel across a stateless
filter.
7. Conclusion
HPING is a very useful utility when learning TCP/IP and actually
understand what happen. People auditing firewalls/IDS system can find
great benefits in using hping. And for all the rest, … just use it for
fun as I do!!!
Please send remarks/mistakes to mailto:xxradar@radarhack.com.