Saturday, September 28, 2013

Detecting Firewall/IPS via hping3 Before Starting Your Pentest

Before starting your network/web application security auditing it is always good to detect whether your target server is running any firewall/IPS or not. It has been always a best practice and method to send some crafted packets to the server in order to check the response form the server. In this article you will learn how to craft packets and how to send the server on their various ports using hping3. Also you will analyze each and every request coming and going from your machine to your target. Here my target is www.chintangurjar.com which's IP I have taken.


Disclaimer : Do not try on any live target (:D). I wont be responsible, if anything happens with the use of my this guide then.

First we will do hping installation.

Hping Installation & Self Critical Evaluation


root@Chintan:~# cd Desktop/
root@Chintan:~/Desktop# wget http://www.hping.org/hping3-20051105.tar.gz
--2013-09-12 10:08:22--  http://www.hping.org/hping3-20051105.tar.gz
Resolving www.hping.org (www.hping.org)... 192.70.106.166
Connecting to www.hping.org (www.hping.org)|192.70.106.166|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 584001 (570K) [application/x-gzip]
Saving to: `hping3-20051105.tar.gz'
100%[============================================================================================>] 584,001      474K/s   in 1.2s
2013-09-12 10:08:24 (474 KB/s) - `hping3-20051105.tar.gz' saved [584001/584001]
root@Chintan:~/Desktop# clear
root@Chintan:~/Desktop# ls
hping3-20051105.tar.gz  theHarvester-2.2a
root@Chintan:~/Desktop# tar -xvf hping3-20051105.tar.gz
root@Chintan:~/Desktop/hping3-20051105# ls
adbuf.c       BUGS           display_ipopt.c  hex.h           lib              NEWS            sbignum.h         sendudp.c
adbuf.h       byteorder      docs             hping2.h        libpcap_stuff.c  opensockraw.c   sbignum-tables.c  signal.c
antigetopt.c  byteorder.c    fixtypes.h       hstring.c       listen.c         parseoptions.c  sbignum-tables.h  sockopt.c
antigetopt.h  byteorder.h    gentables.c      hstring.h       logicmp.c        random.c        scan.c            split.c
apd.c         bytesex.h      gentables.sh     if_promisc.c    main.c           rapd.c          script.c          statistics.c
apdutils.c    CHANGES        gethostname.c    img             Makefile         README          send.c            strlcpy.c
apdutils.h    cksum.c        getifname.c      in.h            Makefile.in      release.h       sendhcmp.c        systype.h
ars.c         configure      getlhs.c         INSTALL         memlockall.c     relid.c         sendicmp.c        TODO
arsglue.c     COPYING        getusec.c        interface.c     memlock.c        resolve.c       sendip.c          usage.c
ars.h         CVS            globals.h        interface.h     memstr.c         RFCs            sendip_handler.c  version.c
AUTHORS       datafiller.c   hcmp.h           ip_opt_build.c  memunlockall.c   rtt.c           sendrawip.c       waitpacket.c
binding.c     datahandler.c  hex.c            KNOWN-BUGS      memunlock.c      sbignum.c       sendtcp.c
root@Chintan:~/Desktop/hping3-20051105# ./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/bin/tclsh8.4
==> WARNING: no Tcl header files found!
--------------------------------------
system type: LINUX

LIBPCAP      : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH      : /usr/local/man
USE_TCL      :
TCL_VER      : 8.4
TCL_INC      :
LIBTCL       : -ltcl8.5 -lm -lpthread
TCLSH        : /usr/bin/tclsh8.4

(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
root@Chintan:~/Desktop/hping3-20051105#

Self-Critical Evaluation

root@Chintan:~/Desktop/hping3-20051105# ./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/bin/tclsh8.4
==> WARNING: no Tcl header files found!
--------------------------------------
system type: LINUX

LIBPCAP      : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH      : /usr/local/man
USE_TCL      :
TCL_VER      : 8.4
TCL_INC      :
LIBTCL       : -ltcl8.5 -lm -lpthread
TCLSH        : /usr/bin/tclsh8.4

(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
root@Chintan:~/Desktop/hping3-20051105# make
gcc -c -O2 -Wall    -g  main.c
main.c:29:18: fatal error: pcap.h: No such file or directory
compilation terminated.
make: *** [main.o] Error 1


Then I downloaded this package named libpcap0.8-dev_1.3.0-1_i386.deb and I installed it with this command.


root@Chintan:~/Desktop# dpkg -i libpcap0.8-dev_1.3.0-1_i386.deb
Selecting previously unselected package libpcap0.8-dev.
(Reading database ... 235070 files and directories currently installed.)
Unpacking libpcap0.8-dev (from libpcap0.8-dev_1.3.0-1_i386.deb) ...
Setting up libpcap0.8-dev (1.3.0-1) ...
Processing triggers for man-db ...
root@Chintan:~/Desktop#


Then I again configured that file and tried to install it with this following command:

root@Chintan:~/Desktop/hping3-20051105# ./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/bin/tclsh8.4
==> WARNING: no Tcl header files found!
--------------------------------------
system type: LINUX

LIBPCAP      : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH      : /usr/local/man
USE_TCL      :
TCL_VER      : 8.4
TCL_INC      :
LIBTCL       : -ltcl8.5 -lm -lpthread
TCLSH        : /usr/bin/tclsh8.4

(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
root@Chintan:~/Desktop/hping3-20051105# make
gcc -c -O2 -Wall    -g  main.c
gcc -c -O2 -Wall    -g  getifname.c
getifname.c: In function âget_output_ifâ:
getifname.c:343:35: warning: pointer targets in passing argument 3 of âgetsocknameâ differ in signedness [-Wpointer-sign]
In file included from getifname.c:14:0:
/usr/include/i386-Linux-gnu/sys/socket.h:119:12: note: expected âsocklen_t * __restrict__â but argument is of type âint *â
getifname.c: In function âget_if_nameâ:
getifname.c:61:11: warning: âsa.sin_addr.s_addrâ may be used uninitialized in this function [-Wuninitialized]
gcc -c -O2 -Wall    -g  getlhs.c
gcc -c -O2 -Wall    -g  parseoptions.c
gcc -c -O2 -Wall    -g  datafiller.c
gcc -c -O2 -Wall    -g  datahandler.c
gcc -c -O2 -Wall    -g  gethostname.c
gcc -c -O2 -Wall    -g  binding.c
gcc -c -O2 -Wall    -g  getusec.c
gcc -c -O2 -Wall    -g  opensockraw.c
gcc -c -O2 -Wall    -g  logicmp.c
gcc -c -O2 -Wall    -g  waitpacket.c
waitpacket.c: In function âwait_packetâ:
waitpacket.c:546:14: warning: âtstampâ may be used uninitialized in this function [-Wmaybe-uninitialized]
waitpacket.c:469:8: note: âtstampâ was declared here
gcc -c -O2 -Wall    -g  resolve.c
gcc -c -O2 -Wall    -g  sendip.c
gcc -c -O2 -Wall    -g  sendicmp.c
gcc -c -O2 -Wall    -g  sendudp.c
gcc -c -O2 -Wall    -g  sendtcp.c
gcc -c -O2 -Wall    -g  cksum.c
gcc -c -O2 -Wall    -g  statistics.c
gcc -c -O2 -Wall    -g  usage.c
gcc -c -O2 -Wall    -g  version.c
gcc -c -O2 -Wall    -g  antigetopt.c
gcc -c -O2 -Wall    -g  sockopt.c
gcc -c -O2 -Wall    -g  listen.c
gcc -c -O2 -Wall    -g  sendhcmp.c
gcc -c -O2 -Wall    -g  memstr.c
gcc -c -O2 -Wall    -g  rtt.c
gcc -c -O2 -Wall    -g  relid.c
gcc -c -O2 -Wall    -g  sendip_handler.c
gcc -c -O2 -Wall    -g  libpcap_stuff.c
libpcap_stuff.c:20:21: fatal error: net/bpf.h: No such file or directory
compilation terminated.
make: *** [libpcap_stuff.o] Error 1

Then I solved this error with this command and I again started installation by compiling and installing it.

root@Chintan:~/Desktop/hping3-20051105# ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h

This time I successfully managed to install the program now its time to run it.

Detection of Firewall/IPS via hping3

hping options
After applying this fix when I am somehow managed to install hping3. Hping3 comes inbuilt in KALI Linux but I removed it and installed it manually to show you how can we fix errors during package installation. So here is hping3.


root@Chintan:~/Desktop# hping3 --help
usage: hping3 host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (uX for X microseconds, for example -i u1000)
      --fast      alias for -i u10000 (10 packets for second)
      --faster    alias for -i u1000 (100 packets for second)
      --flood      sent packets as fast as possible. Don't show replies.
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface name (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
      --beep      beep for every matching packet received
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destionation address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set don't fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+] destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum
                   many systems will fix the IP checksum sending the packet
                   so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --SYN        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-mss        enable the TCP MSS option with the given value
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt       Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)


Getting Target Information


root@Chintan:~/Desktop# ping chintangurjar.com =>This is my organization’s website so I am gathering the IP address to test on it. And here I got the IP address.

PING chintangurjar.com (XXX.XXX.XXX.XXX) 56(84) bytes of data.
^C
--- chintangurjar.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms


Understanding tcpdump Tool

Now we will send simple ICMP echo packets first. Before doing that let’s run tcpdump to analyze that our packet is successfully sent and we have got the reply back to us.  So to run tcpdump successfully let’s see which interface we have got. We can do this by following command.

Now we will send simple ICMP echo packets first. Before doing that let’s run tcpdump to analyze that our packet is successfully sent and we have got the reply back to us.  So to run tcpdump successfully let’s see which interface we have got. We can do this by following command.

root@Chintan:~# tcpdump --help
tcpdump: invalid option -- '-'
tcpdump version 4.3.0
libpcap version 1.3.0
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]


Choosing Interface for communication


root@Chintan:~# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0c:29:47:0a:6d

          inet addr:192.168.41.145  Bcast:192.168.41.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fe47:a6d/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:37525 errors:0 dropped:0 overruns:0 frame:0

          TX packets:66684 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:12913127 (12.3 MiB)  TX bytes:12391468 (11.8 MiB)

          Interrupt:19 Base address:0x2000



lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:65536  Metric:1

          RX packets:42 errors:0 dropped:0 overruns:0 frame:0

          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:2940 (2.8 KiB)  TX bytes:2940 (2.8 KiB)


As you can see we have got 2 interface which are eth0 and l0. So the packets which we will send, they will be going through eth0 interface. So here is the tcpdump command.

Sending ICMP echo Packets on Target


root@Chintan:~# tcpdump -i eth0 -n host XXX.XXX.XXX.XXX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

host defines the particular host on which this tool will analyze the traffic. No matter what other sites you are visiting or what other activities you are doing on internet it will only analyze traffic for this host. Option –i stands for interface that we are defining our interface eth0 from two of them. Option –n disables tcpdump to convert IP address into hostnames.

After running tcpdump tool, I have sent one ICMP echo packet to the host by following command.

root@Chintan:~/Desktop# hping3 -1 -c 1 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): icmp mode set, 28 headers + 0 data bytes len=46 ip=XXX.XXX.XXX.XXX ttl=128 id=11606 icmp_seq=0 rtt=303.1 ms

--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 303.1/303.1/303.1 ms
root@Chintan:~/Desktop#

Now let’s check tcpdump’s result. Then it says something like this.

11:59:22.048058 IP 192.168.41.145 > XXX.XXX.XXX.XXX: ICMP echo request, id 50205, seq 0, length 8

11:59:22.349975 IP XXX.XXX.XXX.XXX > 192.168.41.145: ICMP echo reply, id 50205, seq 0, length 8

Now as per the result we can clearly clarify that our request packet was successfully sent and we got the reply even form the target. So from very first packet we can identify that our target is LIVE it is not dead.


Sending SYN Packets on target’s port 0


To send SYN packet to target the command is as follows:

root@Chintan:~/Desktop# hping3 -S -c 1 -s 5000 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): S set, 40 headers + 0 data bytes
len=46 ip=XXX.XXX.XXX.XXX ttl=128 id=11701 sport=0 flags=RA seq=0 win=64240 rtt=1.4 ms

--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.4/1.4/1.4 ms
root@Chintan:~/Desktop#

Here –S sign stands for SYN packet identification that we are only sending SYN packet nothing else. C as usual, the number of packet and here we have got new option which is –s 5000. Generally these ports are used for firewall testing as well as digital footprinting. We have specifically choose this port because if we don’t choose this port then this toll will select random any port from outside and will send request to our target.

Make sure that we are using this port in order to not send a packet via our port 0. So our port 0 is not opened that is why we are watching a request set with FLAG RA which means RST-ACK flag. So we are expecting our result may have some of these flag set in output. Let’s check our tcpdump result that what have we got. Here is the result.

12:43:57.277470 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.0: Flags [S], seq 1808687909, win 512, length 0

12:43:57.278406 IP XXX.XXX.XXX.XXX.0 > 192.168.41.145.5000: Flags [R.], seq 715346791, ack 1808687910, win 64240, length 0

From the result we can clearly see that first is a request that we sent and 2nd is a response that we got. It shows that we sent our packet via 5000 port as it mentioned in the IP address and we have received our response from our target’s 0th port as shown in 2nd line. Also we can clearly see that in first line we are sending SYN packet which is shown in [S] like this. And as a result we can see that, there is RST flag set in our response packet which is denoted as [R.] Not only that but we have got an acknowledge for that also in our result which is written as ‘ack 1808687910’.


Sending FIN Packet on target’s port 0


To send FIN packet to target the command is as follows:

root@Chintan:~# hping3 -F -c 1 -s 5000 XXX.XXX.XXX.XXX

HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): F set, 40 headers + 0 data bytes



--- XXX.XXX.XXX.XXX hping statistic ---

1 packets transmitted, 0 packets received, 100% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

root@Chintan:~# hping3 -F -c 1 -s 8080 XXX.XXX.XXX.XXX

HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): F set, 40 headers + 0 data bytes

--- XXX.XXX.XXX.XXX hping statistic ---

1 packets transmitted, 0 packets received, 100% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

root@Chintan:~# hping3 -F -c 1 -s 443 XXX.XXX.XXX.XXX

HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): F set, 40 headers + 0 data bytes

--- XXX.XXX.XXX.XXX hping statistic ---

1 packets transmitted, 0 packets received, 100% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

root@Chintan:~#

As we can see that here I have sent 1 packet each to the target with FIN flag set from 3 different source port respectively, 5000, 8080 & 443. But we haven’t got any reply from the server side. It says that our packets are being rejected or dropped. To verify it let’s check tcpdump result. Here is the result:

13:03:01.659019 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.0: Flags [F], seq 1785692317, win 512, length 0

13:03:07.790023 IP 192.168.41.145.8080 > XXX.XXX.XXX.XXX.0: Flags [F], seq 2105868661, win 512, length 0

13:03:12.728253 IP 192.168.41.145.443 > XXX.XXX.XXX.XXX.0: Flags [F], seq 588210511, win 512, length 0

As the result shows that all these communication is only one sided. tcpdump has analyzed that from 192.168.41.145 is sending request to the server but in reply of its each request, it is not getting any response from the server. Now we will address this issue in 2nd part of this report that why it is happening.


localhost practice to understand scenario


To understand this scenario let’s do one experiment on localhost. On your Ubuntu/Backtrack/Kali Linux default firewall is already installed named iptables. But you never define any rules in it. See the below terminal activity.

root@Chintan:~# ping -c 1 192.168.41.145

PING 192.168.41.145 (192.168.41.145) 56(84) bytes of data.

64 bytes from 192.168.41.145: icmp_req=1 ttl=64 time=0.026 ms

--- 192.168.41.145 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms

root@Chintan:~# iptables -A INPUT -j DROP

root@Chintan:~# ping -c 1 192.168.41.145

PING 192.168.41.145 (192.168.41.145) 56(84) bytes of data.

^C

- - -     192.168.41.145 ping statistics    - - -

1 packets transmitted, 0 received, 100% packet loss, time 0ms

root@Chintan:~#


As you can see here first I sent one ICMP echo packets to server and I got my reply back as well. Then I set some rules in firewall that these packets should be dropped for security reasons they should be no longer accepted in server. Thus how similar kind of rules must be there on our target server. That is the reason that we are not able to get our reply back in FIN packets.


Sending SYN Packet on target’s port 80


Upto this we have only sent packets to port 0 now we will send our packets to well-known ports and let’s check what’s there in firewall for us. First basic port to test is 80 which is known as HTTP as you know. Now we will be sending SYN packets on port 80 which will do 3 way handshake known as SYN->SYN-ACK->ACK. Here is the command.

root@Chintan:~# hping3 -S -c 1 -s 50000 -p 80 XXX.XXX.XXX.XXX

HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): S set, 40 headers + 0 data bytes

len=46 ip=XXX.XXX.XXX.XXX ttl=128 id=11742 sport=80 flags=SA seq=0 win=64240 rtt=12.9 ms



--- XXX.XXX.XXX.XXX hping statistic ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 12.9/12.9/12.9 ms

root@Chintan:~#

As you can see from the result of hping that it is still allowing us to send SYN packets on 80th port to the server. Let’s cross check it with tcpdump result. As you can see that our target has replied with SA flag which stand for SYN-ACK flag which is the core mechanism of 3 way handshake.

14:42:49.729188 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80: Flags [S], seq 661324125, win 512, length 0

14:42:49.730576 IP XXX.XXX.XXX.XXX.80 > 192.168.41.145.5000: Flags [S.], seq 907550374, ack 661324126, win 64240, options [mss 1460], length 0

14:42:49.730596 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80: Flags [R], seq 661324126, win 0, length 0

As showing in result it is clarifying that our first packet is from local host to server on its 80th port which is our SYN packet then server replies with SYN-ACK packet and then our system is confirming acknowledgement via ACK. So this is called 3 way handshake. So in this case firewall is still allowing SYN packets on well-known ports.


Sending ACK Packet on target’s port 80


Now we will send our packets to well-known ports. Secondly, we will send ACK packets on port 80. Now as we know the procedure we will go quickly. Here is the result.

root@Chintan:~# hping3 -A -c 1 -s 5000 -p 80 XXX.XXX.XXX.XXX

HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): A set, 40 headers + 0 data bytes

len=46 ip=XXX.XXX.XXX.XXX ttl=128 id=11746 sport=80 flags=R seq=0 win=32767 rtt=0.9 ms



--- XXX.XXX.XXX.XXX hping statistic ---

1 packets transmitted, 1 packets received, 0% packet loss

round-trip min/avg/max = 0.9/0.9/0.9 ms

root@Chintan:~#

Here our target has responded with RST flag only.
Here is the tcpdump result.

14:46:24.654320 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80: Flags [.], ack 1423601245, win 512, length 0


14:46:24.654472 IP XXX.XXX.XXX.XXX.80 > 192.168.41.145.5000: Flags [R], seq 1423601245, win 32767, length 0

It shows our packet has been sent with flag . denoted as Flags[.] but the following line ack 1423601245 shows that, that is an ACK packet that we are sending to server. Output also shows we have got reply with RST flag packet only.


Sending UDP Packet on target’s port 80


Here is the UDP packet analysis. 

root@Chintan:~# hping3 -2 -c 1 -s 5000 -p 80 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): udp mode set, 28 headers + 0 data bytes

--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@Chintan:~#

As we can see from the analysis that firewall has banned UDP packets. Now they can ban this with the use of iptables or using any other 3rd party firewall too. Here is the tcpdump result.

14:54:50.051238 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80: UDP, length 0
This result only shows 1st packet that we sent from our source destination to target destination. And we have not got our reply back via packet too. This is the same scenario works as above I have showed to you that how iptables blocks all UDP, in fact all packets on the coming from client side. So it also tells us that FIREWALL is setup there.



Summary
This article showed you how to play with Linux firewall as well as how to detect firewall on live system. If your SYN FIN ACK UDP packets are being dropped then make sure there might be in fact there will be firewall/IDS/IPS setup at the server side.

References