Security Testing with Hping at the HOP

COver STOry Hping Michael Röder, Fotolia

Security testing with hping AT THE HOP

Don't let intruders crash your dance. We'll show you how to test your hackerish names, such as targa, synful, papa smurf, and netdude, could help firewalls and intrusion detection systems with hping. with the task of generating designer packets, but many of these older applica- BY JAMES STANGER, PHD tions had problems and limitations. For example, some tools could only scan hen it comes to penetration types of the TCP/ IP protocol suite, some Class C IPv4 networks. testing and security audits, users call it a packet-crafting application. Whping is one of your best By manipulating packets, you can What Does hping Do? friends. Currently in its third iteration, scan systems stealthily, generate traffic Hping provides a single, universal solu- hping has become a preferred way to floods, and generally create packets to tion that helps prevent many problems generate IP packets, usually for the pur- your heart’s content. Over the years, of the previous generation. Hping is de- pose of testing firewall and intrusion de- hping has become the de facto packet signed to: tection systems. generator. • scan hosts, Because you can use hping to manipu- Generating custom packets is nothing • assist with penetration testing, late all of the fields, flags, and protocol new. Previous tools with whiz-bang and • test intrusion detection systems,

Versions Hping3 is the latest version of hping, and manipulation tool) and idswakeup (an ap- hping3 places you into a session, much like hping2 is the most significant predecessor plication for auditing intrusion detection the old nslookup command. application. Several applications depend systems). Hping3 comes with a new TCL Hping3 lets you create fairly sophisticated upon hping2, which has been around quite scripting engine and is, therefore, quite bit scripts that will help you simulate traffic for a bit longer than hping3. more powerful than a simple command- your firewalls and intrusion detection sys- I install both versions, and I recommend line tool. tems. a less obvious advantage of hping3 that you do the same. I use hping3 as a The original hping and hping2 applications is that Salvatore Sanfilippo, the creator of stand-alone application, but I still have operate as one-time commands – they all things hping, rewrote much of the un- hping2 in case I need it for third-party ap- don’t launch an interactive shell. If you use derlying code. plications, such as scapy (another packet the command without any arguments,

38 ISSUE 99 FEBRuaRy 2009 Hping Cover story

• and send files between Hping's creator, for example, still main- hosts. tains the tool even though he’s collabo- In this article, I will ex- rated for years with Fyodor, the creator plain how to start gener- of Nmap. ating test packets with Third, you can also conduct incremen- hping. tal scans, which means each scan will climb up one port on a system: Installing hping

Hping3 is available from sudo hping ‑S targethost‑p ++0 the project website as a source tarball [1]. If This command creates a report that tells you’re using an Ubuntu you what ports are open on the system. or Debian system, you can use either Synaptic A Better Traceroute? Package Manager or apt- One interesting feature of hping3 is that get for the installation. To you can generate a more revealing trace- install hping, enter the route report using any protocol. For ex- following command: ample, suppose you want to determine exactly what happens on each hop of a sudo apt‑get U traceroute. To do this, you can specify install hping3. Figure 1: Viewing a packet generated by hping in Wireshark. the use of a TCP SYN packet. The ‑T option allows you to enable hping3’s You don’t need to enable any additional trusion detection system will treat the traceroute function. In the command repositories. Red Hat or CentOS pack- SYN packet as standard traffic rather shown above, the ‑‑ttl option allows you ages are also available online [2]. than as a threat. to specify the number of routers (i.e., Figure 1 shows how to specify a more hops) you want to transmit. Scanning Hosts sophisticated scan that provides a nice If you want to issue a traceroute com- After installing hping, you are ready to little ASCII-based report. mand using UDP, the command shown get started. Suppose you want to send in Listing 2 will suffice. The output two TCP packets to a system named Advantages Over Nmap shows how each router processes the james, and you want those packets to hit You might wonder why you would want UDP packet. port 80 on james. To do this, you would to use hping to look for open ports when Why would you want to do such a issue the command shown (with the ac- you already have Nmap. In some situa- thing? Because many routers block tradi- companying output) in Listing 1. tions, hping offers advantages over tional ICMP packets, even if your latest In Listing 1, notice that the flags= Nmap. system used UDP. field is set to SA, which is hping’s way of First, hping is a light- telling you that port 80 is open on james. weight application; if Listing 2: Tracing UDP If the ports were closed, you’d see RA in you’ve got it installed and 01 sudo hping3 ‑2 192.168.44.45 ‑p ++44444 ‑T ‑n the flags= field. ready to go, why worry 02 The ‑S option sends a SYN packet, about installing anything 03 HPING 192.168.44.45 (eth0 192.168.44.45): udp mode which often is used to create scans that more? set, 28 headers + 0 data bytes are hard for intrusion detection systems Second, it’s always good 04 hop=1 TTL 0 during transit from ip=172.16.8.1 to detect and flag as threatening. to know how to do the 05 hop=1 hoprtt=1.7 ms

After a system replies to a SYN packet, same thing with more 06 hop=2 TTL 0 during transit from ip=12.155.83.1 you know that a port is listening; the in- than one application. 07 hop=2 hoprtt=2.7 ms

08 hop=3 TTL 0 during transit from ip=12.119.43.49

Listing 1: A Simple Scan 09 hop=3 hoprtt=10.0 ms

01 pink@floyd:~/Desktop$ sudo hping3 ‑S james ‑c 2 ‑p 80 10 hop=4 TTL 0 during transit from ip=12.123.21.30

02 HPING james (eth0 192.168.15.134): S set, 40 headers + 0 data 11 hop=4 hoprtt=13.6 ms bytes 12 hop=5 TTL 0 during transit from ip=12.122.12.21 03 len=46 ip=192.168.15.134 ttl=64 DF id=0 sport=80 flags=SA seq=0 13 hop=5 hoprtt=13.3 ms win=5840 rtt=0.3 ms 14 hop=6 TTL 0 during transit from ip=12.122.17.42 04 len=46 ip=192.168.15.134 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=0.3 ms 15 hop=6 hoprtt=11.9 ms

05 16 hop=7 TTL 0 during transit from ip=12.122.96.9

06 ‑‑‑ james hping statistic ‑‑‑ 17 hop=7 hoprtt=36.6 ms

07 2 packets transmitted, 2 packets received, 0% packet loss 18 hop=8 TTL 0 during transit from ip=192.205.34.62

08 round‑trip min/avg/max = 0.3/0.3/0.3 ms 19 hop=8 hoprtt=13.6 ms

09 pink@floyd:~/Desktop$ 20 hop=9 TTL 0 during transit from ip=4.68.103.46

FEBRuary 2009 ISSUE 99 39 Cover story Hping

To analyze one particular hop of a with jitter and traffic con- Listing 3: Analyzing a Hop traceroute packet, you can use the gestion. By determining ‑‑tr‑keep‑ttl option: the MTU and adjusting it 01 hop=3 TTL 0 during transit from ip=12.119.43.61 properly at the router or 02 hop=3 hoprtt=31.7 ms sudo hping3 ‑S 12.119.80.1 U your individual hosts, you 03 hop=3 TTL 0 during transit from ip=12.119.43.61 ‑p 80 ‑T ‑‑ttl 3 U can reduce latency and re- 04 hop=3 hoprtt=6.9 ms ‑‑tr‑keep‑ttl ‑n solve call quality issues 05 hop=3 TTL 0 during transit from ip=12.119.43.61 that would otherwise 06 hop=3 hoprtt=5.0 ms

The ‑n option ensures that numbers prove elusive. 07 hop=3 TTL 0 during transit from ip=12.119.43.49 aren’t resolved. 08 hop=3 hoprtt=5.2 ms Perimeter Testing The preceding command issues TCP- 09 hop=3 TTL 0 during transit from ip=12.119.43.49 based packets to the target host, but Perimeter testing means 10 hop=3 hoprtt=5.2 ms then reports only the third hop. The out- determining exactly what 11 hop=3 TTL 0 during transit from ip=12.119.43.49 put is shown in Listing 3. The informa- your firewall blocks and 12 hop=3 hoprtt=4.9 ms tion in Listing 3 can help you determine what it allows. To conduct 13 hop=3 TTL 0 during transit from ip=12.119.43.61 exactly if and how a particular router is a good test, you can spoof 14 hop=3 hoprtt=5.4 ms altering packets in transit. source IP addresses and source ports: 15 hop=3 TTL 0 during transit from ip=12.119.43.61 Discovering the MTU

To determine the MTU (Maximum Trans- sudo hping3 ‑a U Of course, you can spoof the source IP mission Unit – the largest datagram al- 10.0.44.45 ‑S james ‑c 2 ‑p 80 address as well as the originating and lowed for the network), you could issue destination ports: the following command: The result of the above command is that packets will appear to originate from the sudo hping3 localhost ‑a U hping3 ‑D ‑V ‑I em1 U system at 10.0.44.45. Such a packet is 10.0.44.45 ‑c 2 ‑‑udp U ‑‑icmp targethost useful for determining whether the fire- ‑‑baseport 80 ‑‑destport 80 wall is allowing random packets in or Replace targethost with the host name or out of your network. Sending Files IP address of the system on the network In these cases, you don’t have to use Creating a tunnel is one way to find out where you want to test the MTU. TCP. Using hping, you can generate UDP what your firewall is capable of block- Why is it important to discover the packets as well: ing. On your receiving system, issue the MTU? First, VPN connections and other following command: network transmissions sometimes en- sudo hping3 targethost ‑c 2 U counter problems if the MTU on a sys- ‑‑udp ‑‑baseport 80 U host$ sudo hping3 ‑i eth0 U tem or a network is set strangely. ‑‑destport 80 ‑‑listen signature ‑‑icmp In convergence networks (for example, where you’re implementing a VoIP The preceding command sends two UDP To send the contents of the file on your SIP or H.323 system), you might need to packets to port 80 on the target system local system to a remote system named determine the MTU to avoid problems from port 80 of your own system. james, issue the following command:

Penetration Testing It’s not enough to just know about how to oritize resources you have identified. For ing spoofed internal packets. use hping3; you need to also understand example, a system may have a fairly se- • Intrusion detection testing: In this step, the basics of a penetration test. A typical rious vulnerability that might not be very you generate traffic to see if the intru- test includes the following basic steps: important. You might need to actually sion detection system is capable of iden- • Network resource identification: This assign this system a lower priority than tifying anomalies and problems. Appli- step is sometimes called network map- others that are considered more vital, es- cations such as hping3 are perfect for ping, network footprinting, or target pecially if the vulnerable system isn’t generating such anomalous traffic. likely to become a stage for an attack. identification. The step involves scan- • Consideration of security policy and Many times, this step is considered part ning systems for open ports, fingerprint- end user issues: In this step, you deter- of the network resource identification, ing operating systems, and determining mine the effectiveness of the security but I like to treat this activity as some- the types of applications that are operat- policy, and how well the network’s appli- thing separate. Determining vulnerabili- ing on open ports. cations ensure compliance. You also de- ties is a complex task that requires quite • Scanning for vulnerabilities: Looking termine how well end users comply with a bit of analytical thought. for vulnerabilities on server, firewall, and the security policy. Although this last VoIP operating systems. You also con- • Perimeter testing: A classic activity for step isn’t really relevant to applications duct tests designed to break the existing hping3. For example, you can use such as hping3, it’s important to under- authentication scheme. Once you are hping3 to generate traffic that tests stand that an auditor does more than finished cracking systems, you then pri- whether the firewall is capable of block- scan systems and generate packets.

40 ISSUE 99 FEBRuary 2009 Hping Cover story

user@host:~$ sudo hping3 ‑I U sudo hping3 ‑S 192.168.2.3 U and for launching various other forms eth0 localhost ‑‑icmp ‑d 100 U ‑a 192.168.2.3 ‑k ‑s 139 U of attack. ‑‑sign signature U ‑p 139 ‑‑flood To create a Christmas tree packet ‑‑file /etc/shadow using hping3, issue the following com- This attack could cause an unpatched mand: On your receiving system’s terminal, you target system to freeze. Also notice the will see the output of the file you’re ‑‑flood option, which sends thousands hping3 ‑F ‑P ‑U U sending (see Listing 4). of packets to the system. 10.44.45.15 ‑p 0 Notice that the contents of the file has been sent through the firewall. Also no- Firewalls and Session State Firewalls and Time Stamps tice that I’ve decided to send the con- Suppose you want to determine how In many cases, a firewall will automati- tents of a particularly sensitive file. Cre- well your firewall is able to record re- cally drop packets that don’t have a time ating an ad-hoc tunnel in this way al- quests for Microsoft protocols across the stamp. To add a time stamp to your lows quick file transfer back and forth network. To use hping3 to generate the packets, use the ‑timestamp option in across a firewall. Furthermore, this fea- packets for this test, issue the following your command: ture is useful for testing exactly what a commands: firewall is capable of blocking. hping3 ‑S 72.14.207.99 U hping www.acme.net ‑S ‑c 1 ‑p 139 ‑p 80 ‑‑tcp‑timestamp Simulating Attacks hping www.acme.net ‑S ‑A ‑c 1 ‑p 139 The LAND attack [4], which first ap- hping www.acme.net ‑S ‑A ‑c 1 ‑p 135 The results will help you determine peared in 1997, involves sending a whether you need to enable timestamp spoofed packet with its SYN flag acti- These commands generate packets that filtering on the firewall. vated to a target host. This spoofed the firewall – if its capability for main- packet has the same source IP and taining state is working – will record. Conclusion source port as the target hosts’s IP. To verify this, you’ll need to check the Conducting penetration tests and deter- When the attack first appeared, it caused firewall’s logs and use a packet sniffer. mining the effectiveness of intrusion de- unpatched Windows systems (and some tection systems involves a great deal of Linux systems) to create an infinite con- Christmas Tree Packet skill and patience. Also, you need the nection loop and crash. A Christmas tree packet [5] is a TCP right kind of tools. Hping3 is one of Many attackers exploited this bug to packet that has almost every flag set, those tools. In this article, I've outlined wage simple, sophomoric, and highly which is useful for bypassing firewalls only a few of the sophisticated com- annoying denial of service attacks. More mands at your disposal when you add sophisticated users realized that such at- Listing 4: Sending a File hping to your security-testing toolkit. n tacks were useful for hijacking attacks. 01 Warning: Unable to guess the output A new variation of the LAND attack interface INFO turned up in 2005, and this classic tech- 02 hping3 listen mode [1] hping Project: www.hping. org nique could easily appear again. 03 [main] memlockall(): Success Hping3 can help you ensure that your [2] hping in RPM: http://dag.wieers. 04 Warning: can't disable memory com/rpm/ packages/ hping systems are immune to such an attack. paging! [3] Packet crafting via hping: Suppose you want to test a system with 05 99999:7::: http://www.governmentsecurity.org/ the IP address of 192.168.2.3 that has 06 proxy:*:14181:0:99999:7::: archive/t835.html port 139 open. To do so, you would issue 07 www‑data:*:14181:0:99999:7::: the following command: [4] LAND attack: 08 backup:*:14181:0:99999:99999:7::: http://en.wikipedia.org/wiki/LAND 09 proxy:*:14181:0:99999:7::: Choosing an Audit Type [5] Christmas tree packet: 10 www‑data:*:14181:0:99999:7::: http://en.wikipedia.org/wiki/Christ- At the risk of oversimplifying, two types 11 backup:*:14181:0:99999:7::: mas_tree_packett835. html of audits exist: blind and non-blind. A 12 list:*:14181:0:99999:7::: blind audit is one in which you adopt the 13 irc:*:14181:0:99999:7::: Dr. James Stanger is an accom- perspective of a hacker who doesn’t 14 gnats:*:14181:0:99999:7::: know about the network and has to dis- plished writer, security consultant, cover all of the systems. With non-blind 15 nobody:*7::: and web designer. Currently, he is audit, you don’t need to worry about 16 nobody:*^C Vice President of Certification for the discovering the systems; instead, you 17 [code snipped due to hitting Ctrl + Certified Internet Web Professional focus on scanning the systems for vul- C to end the transmission] assessment program and chair of the nerabilities. Regardless of the approach 18 ‑‑‑ hping statistic ‑‑‑ Linux Professional Institute (LPI) Advi-

you take to auditing, your goal is to dis- 19 0 packets transmitted, 0 packets sory Council. Dr. Stanger is a co-au-

cover resources, show how to penetrate received, 0% packet loss AUTHOR THE thor of O'Reilly's LPI Certification in a

the defenses, and demonstrate how an 20 round‑trip min/avg/max = Nutshell. He runs a blog at http:// attack could spread to other systems. 0.0/0.0/0.0 ms www.ciwcommunity. org .

FEBRuary 2009 ISSUE 99 41