Embed Size (px)
Citation preview
Using hping3 for Reconnaissance
Welcome back, my budding hackers! One of the most time-consuming, but necessary, activities in hacking is reconnaissance. Before we can hack a system,we need to know what operating system it's running, what ports are open, what services are running, and hopefully,what applications are installed and running. Good reconnaissance increases our chance for success and reduces our chances of being detected. One of the besttools for this is hping3. Due to its versatility, hping3 is often referred as a "packet crafting tool," which means that it can create just about anytype of packet you can imagine. This can be very helpful in doing recon, as different packets will illicit differentresponses from the operating system TCP/IP stack, giving us clues to the underlying OS, ports, and services.
•••
OccupytheWeb'sHacker Training Camp Login/Sign up
Get WhiteHat Certified! Search Site
0
Fools talk;
The Wise listen.
Home Hackers For Hire Hackers-Arise Subscribers Getting Started Hacking SCADA Hacking More...
In addition, we can test various IDS and firewall evasion techniques such a fragmenting packets, slow scans, etc. Thereare so many things we can do with hping3, but I'll limit myself to just a few in this tutorial. Like nearly all of the tools I demonstrate here in Hackers-Arise, hping3 is built into Kali and BackTrack. So, let's fire upour Kali or BackTrack and take a look at hping3.
Step 1 Finding Hping3 hping3 is a powerful tool with numerous features and functions. We'll look at some of the basic functions that areapplicable to hackers here, but investing a little time to learn additional features will be time well invested.Let's look at the help screen first. kali > hping -h
As you can see, the help screen for hping3 is very long and detailed. To better view it, let's pipe it out to more. kali >hping3 -h |more
After hitting the enter key a few times to move down the screen, we come to the following information. Please notethat hping3 can create TCP, RAW IP, ICMP, and UDP packets with TCP being the default. About the middle of the screennote that:
-a switch enables us to spoof our IP address--rand-dest produces packets with random destination ports--rand-source produces packets with random addresses-t sets the Time to Live (TTL) for the packets
-f fragments the packets If we now scroll down the help page a bit, we will see the following options. Note that like nmap, we can set any of theflags in the packet (FSPURA). I want you to note the following switches.
-Q shows only the sequence number-S scan using SYN packets--tcp-timestamp grabs the timestamp from the tcp packet
Step 2 hping3 Default One of the most important features to understand about hping3 is that its default packet is TCP. This means that whena network device such a router or firewall is blocking ICMP (ping), we can still do host discovery and reconnaissancewith hping3. Let's try setting the SYN flag (this would be essentially the same as nmap -sS scan) and checking whether port 80 isopen (-p 80). kali > hping3 -S 192.168.1.105 -p 80
Note in the screenshot above that the packets come back with the flags SA set, meaning the port is open. If the portwere closed, the port would respond with an RA.
If we want to scan all the ports beginning with 1, we can simply add the increment switch (++) after the port (p) switchand the port number where we want to start scanning (in this case 1), like so: kali > hping -S 192.168.1.105 -p ++1
This will scan each port starting at 1, and then increment by one to port 2, then 3, and so on.
Step 3 Fragment Packets with hping3 TCP was designed to be a robust protocol that would continue to communicate even in unfavorable or difficultcircumstances. One feature that ensures this robustness is its ability to deal with packets that have been fragmented orbroken into multiple pieces. TCP will reassemble those packets when they arrive at the target system. This feature of TCP can be used against itself by using a tool like hping3 to fragment an attack across multiple packetsto evade the IDS and firewall and then have the malware reassembled at the target. Although most modern IDS's now attempt to catch fragmentation attacks (in Snort, there is a frag3 preprocessor thatattempts to detect fragmentation), older ones do not. Even the newer IDS can only pick up fragmentation they aredesigned to detect. The beauty of hping3 is that it allows us to design new attacks that the IDS has not yet seen. Let's try the hping3 fragmentation. kali> hping3 -f 192.168.1.105 -p 80
Step 4 Sending Data with hping3 In addition to being able to craft a packet with just about any characteristics we can imagine, hping3 will also allow usto place whatever data we want in those packets. Note in the help screen from Step 1 that the -E switch enables us to
denote a file we want to use to fill the payload of the packet. Let's say we have a file named malware that contains an exploit we're trying to send to the target. In addition, we areconcerned that this malware might be detected by the IDS. We could use the fragmentation switch and load themalware across multiple packets where it will be reassembled by the target, while evading the IDS or AV software. kali > hping3 -f 192.168.1.105 -p 80 -d 10 -E malware
Where:
-d is the data payload size (here, we've designated it as 10 bytes)-E tells hping3 to grab data from the following file
This command then sends the content of the file malware 10 bytes at a time to the target on port 80.
Step 5 Traceroute with hping3 Traceroute is a tool that allows us to trace the route a packet takes across the internet from the client to the target bymanipulating the TTL (time to live) of ICMP packets. It can be a very useful tool for diagnosing problems on an network, and can also be used by hackers to find devices onthe network and the location of firewalls, routers, etc. For this reason, most network admin's block or drop ICMP (ping).Fortunately for us, hping3 enables us to do exactly the same thing, but use TCP which nearly every firewall allows(otherwise, it wouldn't allow Internet traffic). Let's try to run a traceroute using hping3 with the SYN flag setto google.com. kali > hping3 -z -t 1 -S google.com -p 80
Where:
-z connects the command to the ctrl z on the keyboard so that every time we press it, the TTL is incremented by 1-t sets the initial TTL (in this case, we're using 1)-S sets the flag to SYN-p 80 sets the destination port to 80
In the screenshot above, the TTL is still 1, and hping3 tells us that the device is UNKNOWN. We can then hit the ctrlz and increment the TTL by one and find each device between us and the target. This screenshot shows us two devices between myself and google.com. Continuing to hit ctrl z will increment TTL andfind each device until I get to Google's server.
Step 6 Predicting Sequence Numbers with hping3 Another feature that's built into TCP to assure its robustness is the ability to re-order packets at the target even if theyarrive out of order. Remember that packets don't always take the same route to the target, so they very often will arrive out of order. TCPputs a sequence number on the packets so that it can put them back into order where they arrive.This feature has been used by hackers from the beginning of time (well....at least the beginning of Internet time) toconduct man-in-the-middle attacks (MitM). To protect against MitM attacks, operating system manufacturers tweakedtheir TCP/IP stack so that the sequence numbers are no longer numbered serially. Instead, to make it harder toconduct MitM attacks, the OS uses an algorithm to generate the sequence numbers. To conduct a successful MitM attack, then we'll need to predict the sequence numbers. hping3 can help us with thattask. We can get the target system to respond with its sequence numbers, and then from the sequence numbers wecan decipher what algorithm the OS is using. We can do this by: kali > hping3 -Q -S google.com -p 80
Where: -Q displays the sequence numbers
As you can see, google.com responds with its sequence numbers that hping3 captures and displays.
Step 7 hping3 for Uptime Lastly , we can use hping3 to tell how long the server has been up. This can be very useful information for the hacker,as usually the server must be re-booted to apply updates and patches. By knowing how long the system has been up,we can predict what patches have been applied and what hacks the system is vulnerable to. For instance, if we find a system that has not been re-booted in three years, we can be pretty certain that any securitypatches that have been released in that time have not been applied. This means that all the vulnerabilities that havebecome known in that time are still open on that system. Hping3 uses the tcp-timestamp packet to predict how long the system has been up. Let's try this against google.com. hping3 --tcp-timestamp -S google.com -p 80
As we can see, this google.com web server has been up just 8 days, 4 hours, 21 minutes, and 39 seconds. If you trythis scan against other servers, you are likely to see much longer periods of time between the last reboot, sometimesmeasured in years. These, of course, would be prime targets! Keep coming back my aspiring hackers as we continue our exploration ogof the most valuable skillset of the 21stcentury, hacking!
