Disclaimer : Do not try on any live target (:D). I wont be responsible, if anything happens with the use of my this guide then.
First we will do hping installation.
Hping
Installation & Self Critical Evaluation
root@Chintan:~#
cd Desktop/
root@Chintan:~/Desktop#
wget http://www.hping.org/hping3-20051105.tar.gz
--2013-09-12 10:08:22--
http://www.hping.org/hping3-20051105.tar.gz
Resolving www.hping.org (www.hping.org)... 192.70.106.166
Connecting to www.hping.org (www.hping.org)|192.70.106.166|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 584001 (570K) [application/x-gzip]
Saving to: `hping3-20051105.tar.gz'
100%[============================================================================================>]
584,001 474K/s in 1.2s
2013-09-12 10:08:24 (474 KB/s) - `hping3-20051105.tar.gz'
saved [584001/584001]
root@Chintan:~/Desktop# clear
root@Chintan:~/Desktop#
ls
hping3-20051105.tar.gz
theHarvester-2.2a
root@Chintan:~/Desktop#
tar -xvf hping3-20051105.tar.gz
root@Chintan:~/Desktop/hping3-20051105#
ls
adbuf.c
BUGS
display_ipopt.c hex.h lib NEWS sbignum.h sendudp.c
adbuf.h byteorder docs hping2.h libpcap_stuff.c opensockraw.c sbignum-tables.c signal.c
antigetopt.c
byteorder.c fixtypes.h hstring.c listen.c
parseoptions.c
sbignum-tables.h sockopt.c
antigetopt.h
byteorder.h gentables.c hstring.h logicmp.c random.c scan.c split.c
apd.c
bytesex.h gentables.sh if_promisc.c main.c
rapd.c script.c statistics.c
apdutils.c
CHANGES gethostname.c img Makefile README send.c strlcpy.c
apdutils.h
cksum.c getifname.c in.h Makefile.in release.h sendhcmp.c systype.h
ars.c
configure getlhs.c INSTALL memlockall.c relid.c sendicmp.c TODO
arsglue.c
COPYING getusec.c interface.c memlock.c resolve.c sendip.c usage.c
ars.h CVS globals.h interface.h memstr.c RFCs sendip_handler.c version.c
AUTHORS
datafiller.c hcmp.h ip_opt_build.c memunlockall.c rtt.c sendrawip.c waitpacket.c
binding.c
datahandler.c hex.c KNOWN-BUGS memunlock.c sbignum.c sendtcp.c
root@Chintan:~/Desktop/hping3-20051105#
./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/bin/tclsh8.4
==> WARNING: no Tcl header files found!
--------------------------------------
system type: LINUX
LIBPCAP :
PCAP=-lpcap
PCAP_INCLUDE :
MANPATH :
/usr/local/man
USE_TCL :
TCL_VER : 8.4
TCL_INC :
LIBTCL :
-ltcl8.5 -lm -lpthread
TCLSH :
/usr/bin/tclsh8.4
(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
root@Chintan:~/Desktop/hping3-20051105#
Self-Critical
Evaluation
root@Chintan:~/Desktop/hping3-20051105#
./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/bin/tclsh8.4
==> WARNING: no Tcl header files found!
--------------------------------------
system type: LINUX
LIBPCAP :
PCAP=-lpcap
PCAP_INCLUDE :
MANPATH :
/usr/local/man
USE_TCL :
TCL_VER : 8.4
TCL_INC :
LIBTCL :
-ltcl8.5 -lm -lpthread
TCLSH :
/usr/bin/tclsh8.4
(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
root@Chintan:~/Desktop/hping3-20051105#
make
gcc -c -O2 -Wall
-g main.c
main.c:29:18:
fatal error: pcap.h: No such file or directory
compilation terminated.
make: *** [main.o] Error 1
Then I downloaded this package named libpcap0.8-dev_1.3.0-1_i386.deb
and I installed it with this command.
root@Chintan:~/Desktop#
dpkg -i libpcap0.8-dev_1.3.0-1_i386.deb
Selecting previously unselected package libpcap0.8-dev.
(Reading database ... 235070 files and directories currently
installed.)
Unpacking libpcap0.8-dev (from
libpcap0.8-dev_1.3.0-1_i386.deb) ...
Setting up libpcap0.8-dev (1.3.0-1) ...
Processing triggers for man-db ...
root@Chintan:~/Desktop#
Then I again configured that file and tried to install it
with this following command:
root@Chintan:~/Desktop/hping3-20051105#
./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/bin/tclsh8.4
==> WARNING: no Tcl header files found!
--------------------------------------
system type: LINUX
LIBPCAP :
PCAP=-lpcap
PCAP_INCLUDE :
MANPATH :
/usr/local/man
USE_TCL :
TCL_VER : 8.4
TCL_INC :
LIBTCL :
-ltcl8.5 -lm -lpthread
TCLSH :
/usr/bin/tclsh8.4
(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
root@Chintan:~/Desktop/hping3-20051105#
make
gcc -c -O2 -Wall
-g main.c
gcc -c -O2 -Wall
-g getifname.c
getifname.c: In function âget_output_ifâ:
getifname.c:343:35: warning: pointer targets in passing
argument 3 of âgetsocknameâ differ in signedness [-Wpointer-sign]
In file included from getifname.c:14:0:
/usr/include/i386-Linux-gnu/sys/socket.h:119:12: note:
expected âsocklen_t * __restrict__â but argument is of type âint *â
getifname.c: In function âget_if_nameâ:
getifname.c:61:11: warning: âsa.sin_addr.s_addrâ may be used
uninitialized in this function [-Wuninitialized]
gcc -c -O2 -Wall
-g getlhs.c
gcc -c -O2 -Wall
-g parseoptions.c
gcc -c -O2 -Wall
-g datafiller.c
gcc -c -O2 -Wall
-g datahandler.c
gcc -c -O2 -Wall
-g gethostname.c
gcc -c -O2 -Wall
-g binding.c
gcc -c -O2 -Wall
-g getusec.c
gcc -c -O2 -Wall
-g opensockraw.c
gcc -c -O2 -Wall
-g logicmp.c
gcc -c -O2 -Wall
-g waitpacket.c
waitpacket.c: In function âwait_packetâ:
waitpacket.c:546:14: warning: âtstampâ may be used
uninitialized in this function [-Wmaybe-uninitialized]
waitpacket.c:469:8: note: âtstampâ was declared here
gcc -c -O2 -Wall
-g resolve.c
gcc -c -O2 -Wall
-g sendip.c
gcc -c -O2 -Wall
-g sendicmp.c
gcc -c -O2 -Wall
-g sendudp.c
gcc -c -O2 -Wall
-g sendtcp.c
gcc -c -O2 -Wall
-g cksum.c
gcc -c -O2 -Wall
-g statistics.c
gcc -c -O2 -Wall
-g usage.c
gcc -c -O2 -Wall
-g version.c
gcc -c -O2 -Wall
-g antigetopt.c
gcc -c -O2 -Wall
-g sockopt.c
gcc -c -O2 -Wall
-g listen.c
gcc -c -O2 -Wall
-g sendhcmp.c
gcc -c -O2 -Wall
-g memstr.c
gcc -c -O2 -Wall
-g rtt.c
gcc -c -O2 -Wall
-g relid.c
gcc -c -O2 -Wall
-g sendip_handler.c
gcc -c -O2 -Wall
-g libpcap_stuff.c
libpcap_stuff.c:20:21:
fatal error: net/bpf.h: No such file or directory
compilation terminated.
make: *** [libpcap_stuff.o] Error 1
Then I solved this error with this command and I again
started installation by compiling and installing it.
root@Chintan:~/Desktop/hping3-20051105#
ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h
This time I successfully managed to install the program now its time to run it.
Detection of Firewall/IPS via hping3
hping
options
After applying this fix when I am somehow managed to install
hping3. Hping3 comes inbuilt in KALI Linux but I removed it and installed it
manually to show you how can we fix errors during package installation. So here
is hping3.
root@Chintan:~/Desktop#
hping3 --help
usage: hping3 host [options]
-h --help
show this help
-v
--version show version
-c --count
packet count
-i --interval
wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for
second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't
show replies.
-n --numeric
numeric output
-q --quiet
quiet
-I --interface interface name (otherwise default
routing interface)
-V --verbose
verbose mode
-D --debug
debugging info
-z --bind
bind ctrl+z to ttl
(default to dst port)
-Z --unbind
unbind ctrl+z
--beep beep for every matching packet received
Mode
default mode TCP
-0 --rawip
RAW IP mode
-1 --icmp
ICMP mode
-2 --udp
UDP mode
-8 --scan
SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen
listen mode
IP
-a --spoof
spoof source address
--rand-dest random destionation address mode. see the
man.
--rand-source random source address mode. see the man.
-t --ttl
ttl (default 64)
-N --id
id (default random)
-W --winid
use win* id byte ordering
-r --rel
relativize id field (to
estimate host traffic)
-f --frag
split packets in more frag. (may
pass weak acl)
-x --morefrag
set more fragments flag
-y --dontfrag
set don't fragment flag
-g --fragoff
set the fragment offset
-m --mtu
set virtual mtu, implies --frag if packet size > mtu
-o --tos
type of service (default 0x00), try --tos help
-G --rroute
includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record
route
--ssrr strict source routing and record
route
-H --ipproto
set the IP protocol field, only in RAW IP mode
ICMP
-C --icmptype
icmp type (default echo request)
-K --icmpcode
icmp code (default 0)
--force-icmp
send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect
(default 0.0.0.0)
--icmp-ts Alias for --icmp --icmptype 13 (ICMP
timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address
subnet mask)
--icmp-help display help for others icmp options
UDP/TCP
-s --baseport
base source port
(default random)
-p --destport
[+][+] destination port(default 0) ctrl+z inc/dec
-k --keep
keep still source port
-w --win
winsize (default 64)
-O --tcpoff
set fake tcp data offset
(instead of tcphdrlen / 4)
-Q --seqnum
shows only tcp sequence number
-b --badcksum
(try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending
the packet
so
you'll get bad UDP/TCP checksum instead.
-M --setseq
set TCP sequence number
-L --setack
set TCP ack
-F --fin
set FIN flag
-S --SYN
set SYN flag
-R --rst
set RST flag
-P --push
set PUSH flag
-A --ack
set ACK flag
-U --urg
set URG flag
-X --xmas
set X unused flag (0x40)
-Y --ymas
set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-mss enable the TCP MSS option with the
given value
--tcp-timestamp enable the TCP timestamp option to guess the
HZ/uptime
Common
-d --data
data size
(default is 0)
-E --file
data from file
-e --sign
add 'signature'
-j --dump
dump packets in hex
-J --print
dump printable characters
-B --safe
enable 'safe' protocol
-u --end
tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in
traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to
monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in
traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see
docs/APD.txt)
Getting
Target Information
root@Chintan:~/Desktop#
ping chintangurjar.com =>This is my organization’s website so I am
gathering the IP address to test on it. And here I got the IP address.
PING chintangurjar.com (XXX.XXX.XXX.XXX) 56(84) bytes of data.
^C
--- chintangurjar.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time
1008ms
Understanding
tcpdump Tool
Now we will send simple ICMP echo packets first. Before
doing that let’s run tcpdump to analyze that our packet is successfully sent
and we have got the reply back to us. So
to run tcpdump successfully let’s see which interface we have got. We can do
this by following command.
Now we will send simple ICMP echo packets first. Before
doing that let’s run tcpdump to analyze that our packet is successfully sent
and we have got the reply back to us. So
to run tcpdump successfully let’s see which interface we have got. We can do
this by following command.
root@Chintan:~# tcpdump --help
tcpdump: invalid option -- '-'
tcpdump version 4.3.0
libpcap version 1.3.0
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [
-c count ]
[ -C file_size ] [ -E algo:secret ] [
-F file ] [ -G seconds ]
[ -i
interface ] [ -j tstamptype ] [ -M secret ]
[ -r
file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W
filecount ] [ -y datalinktype ] [ -z command ]
[ -Z
user ] [ expression ]
Choosing
Interface for communication
root@Chintan:~#
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:47:0a:6d
inet
addr:192.168.41.145
Bcast:192.168.41.255
Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe47:a6d/64
Scope:Link
UP BROADCAST
RUNNING MULTICAST MTU:1500 Metric:1
RX
packets:37525 errors:0 dropped:0 overruns:0 frame:0
TX
packets:66684 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX
bytes:12913127 (12.3 MiB) TX
bytes:12391468 (11.8 MiB)
Interrupt:19
Base address:0x2000
lo Link encap:Local Loopback
inet
addr:127.0.0.1 Mask:255.0.0.0
inet6 addr:
::1/128 Scope:Host
UP LOOPBACK
RUNNING MTU:65536 Metric:1
RX
packets:42 errors:0 dropped:0 overruns:0 frame:0
TX
packets:42 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
txqueuelen:0
RX bytes:2940 (2.8 KiB) TX bytes:2940 (2.8 KiB)
As you can see we have got 2 interface which are eth0 and
l0. So the packets which we will send, they will be going through eth0
interface. So here is the tcpdump command.
Sending
ICMP echo Packets on Target
root@Chintan:~#
tcpdump -i eth0 -n host XXX.XXX.XXX.XXX
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size
65535 bytes
host defines the particular host on which this tool will
analyze the traffic. No matter what other sites you are visiting or what other
activities you are doing on internet it will only analyze traffic for this
host. Option –i stands for interface that we are defining our interface eth0
from two of them. Option –n disables tcpdump to convert IP address into
hostnames.
After running tcpdump tool, I have sent one ICMP echo packet
to the host by following command.
root@Chintan:~/Desktop# hping3 -1 -c 1 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX
(eth0 XXX.XXX.XXX.XXX): icmp mode set, 28 headers + 0 data bytes len=46 ip=XXX.XXX.XXX.XXX
ttl=128 id=11606 icmp_seq=0 rtt=303.1 ms
--- XXX.XXX.XXX.XXX hping
statistic ---
1 packets transmitted, 1
packets received, 0% packet loss
round-trip min/avg/max =
303.1/303.1/303.1 ms
root@Chintan:~/Desktop#
Now let’s check tcpdump’s result. Then it says something
like this.
11:59:22.048058
IP 192.168.41.145 > XXX.XXX.XXX.XXX: ICMP echo request, id 50205, seq 0,
length 8
11:59:22.349975
IP XXX.XXX.XXX.XXX > 192.168.41.145: ICMP echo reply, id 50205, seq 0,
length 8
Now as per the result we can clearly clarify that our
request packet was successfully sent and we got the reply even form the target.
So from very first packet we can identify that our target is LIVE it is not
dead.
Sending SYN
Packets on target’s port 0
To send SYN packet to target the command is as follows:
root@Chintan:~/Desktop#
hping3 -S -c 1 -s 5000 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): S set, 40
headers + 0 data bytes
len=46 ip=XXX.XXX.XXX.XXX ttl=128 id=11701 sport=0 flags=RA seq=0
win=64240 rtt=1.4 ms
--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.4/1.4/1.4 ms
root@Chintan:~/Desktop#
Here –S sign stands for SYN packet identification that we
are only sending SYN packet nothing else. C as usual, the number of packet and
here we have got new option which is –s 5000. Generally these ports are used
for firewall testing as
well as digital
footprinting. We have specifically choose this port because if we don’t
choose this port then this toll will select random any port from outside and
will send request to our target.
Make sure that we are using this port in order to not send a
packet via our port 0. So our port 0 is not opened that is why we are watching
a request set with FLAG RA which means RST-ACK flag. So we are expecting our
result may have some of these flag set in output. Let’s check our tcpdump
result that what have we got. Here is the result.
12:43:57.277470
IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.0: Flags [S], seq 1808687909, win
512, length 0
12:43:57.278406
IP XXX.XXX.XXX.XXX.0 > 192.168.41.145.5000: Flags [R.], seq 715346791, ack 1808687910, win 64240, length 0
From the result we can clearly see that first is a request
that we sent and 2nd is a response that we got. It shows that we
sent our packet via 5000 port as it mentioned in the IP address and we have
received our response from our target’s 0th port as shown in 2nd
line. Also we can clearly see that in first line we are sending SYN packet
which is shown in [S] like this. And as a result we can see that, there is RST flag
set in our response packet which is denoted as [R.] Not only that but we have
got an acknowledge for that also in our result which is written as ‘ack 1808687910’.
Sending FIN
Packet on target’s port 0
To send FIN packet to target the command is as follows:
root@Chintan:~#
hping3 -F -c 1 -s 5000 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): F set, 40
headers + 0 data bytes
--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@Chintan:~#
hping3 -F -c 1 -s 8080 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): F set, 40
headers + 0 data bytes
--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@Chintan:~#
hping3 -F -c 1 -s 443 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): F set, 40
headers + 0 data bytes
--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@Chintan:~#
As we can see that here I have sent 1 packet each to the
target with FIN flag set from 3 different source port respectively, 5000, 8080
& 443. But we haven’t got any reply from the server side. It says that our
packets are being rejected or dropped. To verify it let’s check tcpdump result.
Here is the result:
13:03:01.659019
IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.0: Flags [F], seq 1785692317, win
512, length 0
13:03:07.790023
IP 192.168.41.145.8080 > XXX.XXX.XXX.XXX.0: Flags [F], seq 2105868661, win
512, length 0
13:03:12.728253
IP 192.168.41.145.443 > XXX.XXX.XXX.XXX.0: Flags [F], seq 588210511, win
512, length 0
As the result shows that all these communication is only one
sided. tcpdump has analyzed that from 192.168.41.145 is sending request to the
server but in reply of its each request, it is not getting any response from
the server. Now we will address this issue in 2nd part of this
report that why it is happening.
localhost practice
to understand scenario
To understand this scenario let’s do one experiment on
localhost. On your Ubuntu/Backtrack/Kali Linux default firewall is already
installed named iptables. But you never define any rules in it. See the below
terminal activity.
root@Chintan:~#
ping -c 1 192.168.41.145
PING 192.168.41.145 (192.168.41.145) 56(84) bytes of data.
64 bytes from 192.168.41.145: icmp_req=1 ttl=64 time=0.026
ms
--- 192.168.41.145 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
root@Chintan:~#
iptables -A INPUT -j DROP
root@Chintan:~#
ping -c 1 192.168.41.145
PING 192.168.41.145 (192.168.41.145) 56(84) bytes of data.
^C
- - -
192.168.41.145 ping statistics
- - -
1 packets transmitted, 0 received, 100% packet loss, time
0ms
root@Chintan:~#
As
you can see here first I sent one ICMP echo packets to server and I got my
reply back as well. Then I set some rules in firewall that these packets should
be dropped for security reasons they should be no longer accepted in server.
Thus how similar kind of rules must be there on our target server. That is the
reason that we are not able to get our reply back in FIN packets.
Sending SYN
Packet on target’s port 80
Upto this we have only sent packets to port 0 now we will
send our packets to well-known ports and let’s check what’s there in firewall
for us. First basic port to test is 80 which is known as HTTP as you know. Now
we will be sending SYN packets on port 80 which will do 3 way handshake known
as SYN->SYN-ACK->ACK. Here is the command.
root@Chintan:~#
hping3 -S -c 1 -s 50000 -p 80 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): S set, 40
headers + 0 data bytes
len=46 ip=XXX.XXX.XXX.XXX ttl=128 id=11742 sport=80 flags=SA seq=0
win=64240 rtt=12.9 ms
--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 12.9/12.9/12.9 ms
root@Chintan:~#
As you can see from the result of hping that it is still
allowing us to send SYN packets on 80th port to the server. Let’s
cross check it with tcpdump result. As you can see that our target has replied
with SA flag which stand for SYN-ACK flag which is the core mechanism of 3 way
handshake.
14:42:49.729188 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80:
Flags [S], seq 661324125, win 512, length 0
14:42:49.730576 IP XXX.XXX.XXX.XXX.80 >
192.168.41.145.5000: Flags [S.], seq 907550374, ack 661324126, win 64240,
options [mss 1460], length 0
14:42:49.730596 IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80:
Flags [R], seq 661324126, win 0, length 0
As showing in result it is clarifying that our first packet
is from local host to server on its 80th port which is our SYN
packet then server replies with SYN-ACK packet and then our system is confirming
acknowledgement via ACK. So this is called 3 way handshake. So in this case
firewall is still allowing SYN packets on well-known ports.
Sending ACK
Packet on target’s port 80
Now we will send our packets to well-known ports. Secondly,
we will send ACK packets on port 80. Now as we know the procedure we will go
quickly. Here is the result.
root@Chintan:~#
hping3 -A -c 1 -s 5000 -p 80 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): A set, 40
headers + 0 data bytes
len=46 ip=XXX.XXX.XXX.XXX ttl=128 id=11746 sport=80 flags=R seq=0 win=32767
rtt=0.9 ms
--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms
root@Chintan:~#
Here our target has responded with RST flag only.
Here is the tcpdump result.
14:46:24.654320
IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80: Flags [.], ack 1423601245, win
512, length 0
14:46:24.654472
IP XXX.XXX.XXX.XXX.80 > 192.168.41.145.5000: Flags [R], seq 1423601245, win
32767, length 0
It shows our packet has been sent with flag . denoted as
Flags[.] but the following line ack 1423601245 shows that, that is an ACK
packet that we are sending to server. Output also shows we have got reply with
RST flag packet only.
Sending UDP
Packet on target’s port 80
Here is the UDP packet analysis.
root@Chintan:~#
hping3 -2 -c 1 -s 5000 -p 80 XXX.XXX.XXX.XXX
HPING XXX.XXX.XXX.XXX (eth0 XXX.XXX.XXX.XXX): udp mode set,
28 headers + 0 data bytes
--- XXX.XXX.XXX.XXX hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@Chintan:~#
As we can see from the analysis that firewall has banned UDP
packets. Now they can ban this with the use of iptables or using any other 3rd
party firewall too. Here is the tcpdump result.
14:54:50.051238
IP 192.168.41.145.5000 > XXX.XXX.XXX.XXX.80: UDP, length 0
This result only shows 1st packet that we sent
from our source destination to target destination. And we have not got our
reply back via packet too. This is the same scenario works as above I have
showed to you that how iptables blocks all UDP, in fact all packets on the
coming from client side. So it also tells us that FIREWALL is setup there.
Summary
This article showed you how to play with Linux firewall as
well as how to detect firewall on live system. If your SYN FIN ACK UDP packets
are being dropped then make sure there might be in fact there will be
firewall/IDS/IPS setup at the server side.
References
