How to test the rules of your firewall by example using hping3.
In this how to I will be showing you a few ways you can test your firewall to see what is allowed and what is not. I will be testing the rules of a WRT54G v2 router with the newest Linksys firmware. These tests will be from the WAN since testing from the LAN would not be practical to someone trying to get through the perimeter.The process in which we want to take is to first determine if something is actually at the ip address, second can we determine what is at the other end, and finally are there any open ports.
Let us start by simply sending a icmp echo command and see if we get a reply.
hping3 -c 1 -V -I eth0 -1 208.81.226.42
-c = count
-V = verbose
-I = Network Interface to use
-1 = ICMP packet
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 208.81.226.42No reply! Good so the router is not responding to pings from the WAN. So how do we even know if anything is actually at that ip address? What if we tried to do a half-open SYN connection to the http port (80). Since most routers have an admin login (sometimes allowing remote login from the web). Issue the following command:
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): icmp mode set, 28 headers + 0 data bytes
— 208.81.226.42 hping statistic —
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 208.81.226.42
-s = source port
-p = destination port
-S = set the SYN flag in the packet
root@Ububox:/# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 208.81.226.42From the result we still get no reply. Now lets try a little test of no flags which is called a null scan and we will see later that hping3 has an option built in for it. If it works and something is there we should get a RST packet back. Type the following hping3 command:
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): S set, 40 headers + 0 data bytes
— 208.81.226.42 hping statistic —
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
hping3 -c 1 -V -I eth0 -s 8765 -p 80 208.81.226.42Success! We got a RST+ACK packet sent back to us. So now we know for sure something is at the ip-address, but was this a fluke? Will the same result happen to a port that might not exist (port 3486). Lets run the same test using a different non existing (hopefully) port. So change the “-p 80″ to “-p 3486″ and lets see what happens.
root@Ububox:/# hping3 -c 1 -V -I eth0 -s 8765 -p 80 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=208.81.226.42 ttl=127 id=0 tos=0 iplen=40
sport=80 flags=RA seq=0 win=0 rtt=1.0 ms
seq=0 ack=1069346811 sum=fb6c urp=0
— 208.81.226.42 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.0/1.0 ms
hping3 -c 1 -V -I eth0 -s 8765 -p 3486 208.81.226.42Same result we get a RST+ACK back again. So now what? We have made sure that some kind of equipment is there and it does respond. Lets move on to another kind of test we will come back to the port testing later. Lets see what happens when we do a icmp timestamp request (icmp type 13).
hping3 -c 1 -V -I eth0 -1 -C 13 208.81.226.42
-1 = icmp packet
-C 13 = icmp type 13 (timestamp)
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 -C 13 208.81.226.42No luck there. If it would of succeeded you would seen the exact time set on the remote host. Most routers/firewalls these days will not respond to these but at this point we do not know the type of equipment sitting at the other end so you never know so at least give it a try.
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): icmp mode set, 28 headers + 0 data bytes
— 208.81.226.42 hping statistic —
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Next will try the icmp address subnet mask test. What we hope will happen is this. We send the packet the remote end replies back with the subnet mask for the local network. (the more we know is better)
hping3 -c 1 -V -I eth0 -1 -C 17 208.81.226.42No response from this either. I was not expecting this to work, but again you don’t know till your try. Now lets return to the port testing procedures and lets try testing using the different types of flags being set in the packet. The first one we will try is the FIN flag. In a TCP connection the FIN flag is used to start the connection closing routine.
-C 17 = icmp address mask
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 -C 17 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): icmp mode set, 28 headers + 0 data bytes
— 208.81.226.42 hping statistic —
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 208.81.226.42We received a RST+ACK back. What we are wanting to see with this scan is not a reply back from the ip if we do not receive a reply then that port will be open. If you firewall rules are working correctly though it should send a RST+ACK back even if the port is open.
-F = set FIN flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): F set, 40 headers + 0 data bytes
len=46 ip=208.81.226.42 ttl=127 id=0 tos=0 iplen=40
sport=53 flags=RA seq=0 win=0 rtt=0.9 ms
seq=0 ack=1790142628 sum=76c9 urp=0
— 208.81.226.42 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms
So now lets move on to the next flag to set. This next one will be using the ACK flag. Using the ACK flag in a probe will help us determine if a host is at the ip we are probing. If the host is not responding to pings from the outside then you can use the ACK flag to probe a port that is most likely open (aka 80,8080).
hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 208.81.226.42We are looking for a RST packet to be sent back from the host. In this example we did receive a packet back and so we know that there is something at that ip.
-A = Set ack flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): A set, 40 headers + 0 data bytes
len=46 ip=208.81.226.42 ttl=127 id=0 tos=0 iplen=40
sport=80 flags=RA seq=0 win=0 rtt=0.9 ms
seq=559274943 ack=2094401506 sum=e61a urp=0
— 208.81.226.42 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms
Next scan to be used is known as the XMAS scan. What this does is set the seqence number to zero and set the URG + PSH + FIN flags in the packet.
hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -M 0 -UPF 208.81.226.42If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP XMAS scan, sending no reply. Only if the firewall rules have not been configured to block this type of scan.
-M 0 = set sequence number to zero
-U = set URG flag
-P = set PUSH flag
-F = set FIN flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -M 0 -UPF 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): FPU set, 40 headers + 0 data bytes
len=46 ip=208.81.226.42 ttl=127 id=0 tos=0 iplen=40
sport=8080 flags=RA seq=0 win=0 rtt=0.8 ms
seq=0 ack=1 sum=727d urp=0
— 208.81.226.42 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.8/0.8 ms
The next and final example of this how to will show you the NULL scan. What this scan does is set the sequence number to zero and have no flags set in the packet.
hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -Y 208.81.226.42If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP NULL scan, sending no reply.
-Y = Null scan
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -Y 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): Y set, 40 headers + 0 data bytes
len=46 ip=208.81.226.42 ttl=127 id=0 tos=0 iplen=40
sport=8080 flags=RA seq=0 win=0 rtt=1.2 ms
seq=0 ack=1350561991 sum=2c3c urp=0
— 208.81.226.42 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.2/1.2/1.2 ms
I hope you have learned a thing or two about using hping3 from these examples. Hping3 is a great tool to have handy if you need to test security of your firewall(s) or IDS systems. So just play around with the different flags being set or the different icmp or udp packets. Different operating systems respond differently depending on the rules set so try different combonations of the flags and use tcpdump to see the whole packets being sent and received. I will have more examples using hping3 in later articles so stay tuned and have fun.
Source: http://www.compuhowto.com/
No comments:
Post a Comment