• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Hping2 advanced testing

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
noyd
Just Arrived
Just Arrived


Joined: 30 Sep 2004
Posts: 0
Location: Europe

Offline

PostPosted: Wed Oct 27, 2004 12:35 pm    Post subject: Hping2 advanced testing Reply with quote

Greetings,

Before I post my question, I’d like to mention that when I was googling for hping whitepapers, I found great info on the subject here on SFDC. Indubitably Don posts answered perfectly to my first doubts. Smile

I’ve been using hping to forge some packets with wicked flag combinations, against a Symantec Ent. Firewall (8.0) that does some nice flag checking. My first results shown that port scanning a host with F flags doesn’t trick my FW. So I got stuck, with the feeling I needed to read more literature on the subject. Confused

From further reading returned by google, I found some techniques (which I don’t have the slightest idea if they are obsolete) to forge fragmented packets that will mess with the fragment offset field on ip header, that would allow me to initiate a session on port 25 and then move to another port (for example 80). Can this be accomplished with hping?

I’m guessing that this technique would be something I should understand to gain more knowledge on FW testing.
So I decided to register on SFDC and shoot my first question to the experts. Wink

Thanks!
Back to top
View user's profile Send private message
eip
Just Arrived
Just Arrived


Joined: 12 Aug 2004
Posts: 0


Offline

PostPosted: Thu Oct 28, 2004 3:23 am    Post subject: Reply with quote

I don't think that what you are looking for is possible (switching ports). I may be wrong, but I am pretty sure that I am right. I would first get a copy of "TCP/IP Illustrated Vol. 1". It is a great book and a great reference. Once you have a better understanding of how TCP/IP works then you will be able to understand the different evasion techniques that you are looking at. I believe that the Symantec firewall is actually a proxy server. This means that it has to terminate the initial connectection and then make a request on behalf of the user. By doing this is will only accept vaild packets (in theory).

hping2 is a great tool. But remember that it is only a tool. There are some great IDS evasion papers out there. You can find some on the snort.org web site.


eip
Back to top
View user's profile Send private message
noyd
Just Arrived
Just Arrived


Joined: 30 Sep 2004
Posts: 0
Location: Europe

Offline

PostPosted: Thu Oct 28, 2004 10:58 am    Post subject: Reply with quote

eip wrote:
I don't think that what you are looking for is possible (switching ports). I may be wrong, but I am pretty sure that I am right. I would first get a copy of "TCP/IP Illustrated Vol. 1". It is a great book and a great reference. Once you have a better understanding of how TCP/IP works then you will be able to understand the different evasion techniques that you are looking at. I believe that the Symantec firewall is actually a proxy server. This means that it has to terminate the initial connectection and then make a request on behalf of the user. By doing this is will only accept vaild packets (in theory).

hping2 is a great tool. But remember that it is only a tool. There are some great IDS evasion papers out there. You can find some on the snort.org web site.


eip


Take a look here http://www.ipa.go.jp/security/rfc/RFC3128EN.html

By that info I assume the attack is possible. Twisted Evil
Anyway I must agree with you about the book Smile because I have it.

Regards
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Oct 28, 2004 11:14 am    Post subject: Reply with quote

Let me attempt to explain this attack a little bit better..

To get around blocking rules on some Firewalls, Packet Fragmentation can be utilized. This is done by changing the value of the Fragment Offset. The trick is to set the value on the second packet so instead of appending the second packet to the first; it actually overwrites the data and part of the TCP header of the first packet.

Example: Telnet 23 is blocked while SMTP 25 port is open on the Packet Filtering Firewall.

The first packet would:
  • Have a fragmentation offset of 0
  • Have the DF bit equal to 0 to mean ‘May Fragment’ and the MF bit equal to 1 to mean ‘More Fragments’
  • Have a destination port in the TCP header of 25. TCP port 25 is allowed, so the Firewall would allow that packet to enter the network
The second packet would:
  • Have a fragmentation offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet
  • Have the DF bit equal to 0 to mean ‘May Fragment’ and the MF bit equal to 0 to mean ‘Last Fragment’
  • Have a destination port in the TCP header of 23. This would normally be blocked, but not in this case.
The Packet Filtering Firewall will see that the fragment offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check it against the rule set. When the two packets arrive at the target host they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.

You can debate the merits of this attack Smile
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register