Exercise 5: hping2
Before an aggressor can successfully attack or exploit an organization, a certain level of reconnaissance must be performed. The aggressor must collect enough information about the target to have a solid understanding of the network, services, and probable vulnerabilities of the network she is attacking. Another tool to assist in that reconnaissance is hping2. hping2 is a network tool that sends custom ICMP, UDP, and TCP packets and displays target replies the same way ping does with ICMP replies. In addition to the normal ICMP functionality, hping2 can handle fragmentation, arbitrary packet body, and size. It can also be used to transfer files under supported protocols. This tool is useful for testing firewall rules, spoofed port scanning, network performance, packet sizes, TOS (type of service), fragmentation, path MTU discovery, file transfer, traceroute with different protocols, firewalk-like usage, remote OS fingerprinting, TCP/IP stack auditing, and much more.
The objective of this exercise is to provide an understanding of what an attacker can learn about your system from outside your organization. You will also learn how stealth mode can be used to protect the identity of the scanner.
hping2, available at http://www.hping.org/hping2.0.0-rc1.tar.gz
Linux-based OS 2.2 Kernel, or a later version
The following are the steps that you will perform for this exercise:
Download and install hping2.
Verify that you have an IP address bound to your NIC.
Use hping2 to determine if a host is active. Use your host as the target for all scans, and use your actual IP address, not a local host, or 127.0.0.1.
Use hping2 to determine if a service is active. The target service will depend on your host configuration. The SSH service (port 22) may be a good service to scan for.
Perform a stealth scan on your system with hping2.
Challenge Procedure Step-by-Step
The following are the detailed steps you will perform to install and run hping2 on your system:
Create a folder called sans in the /usr/local directory using the following:
Now, download hping2 from http://www.hping.org/hping2.0.0-rc1.tar.gz.
Copy hping2 to the tools directory using the following:
Now, install hping2. Use the following:
tar zxf hping2.0.0-rc1.tar.gz
Change the directory to hping2.0.0-rc1 using the following command:
Edit the configure shell script so that it will correctly set the search path for the man files. To do this, use vi to edit the file:
Search for the line that sets the man path variable:
Use your cursor keys to position your cursor to the right of the "e" in "echo."
Press the Esc key to complete the change. Then, save the change and quit vi by typing the following:
Run configure to prepare the Makefile for compilation of hping2:
Run make to compile hping2.
After make completes, run make install.
Now, use hping2 to determine if a host is active:
Use hping2 to see if the host is running the SSH Service. This is done by typing the following command:
Next, use hping2 to scan a remote system and hide its identity. This is done by typing the following command:
cp hping2.0.0-rc1.tar.gz /usr/local/tools
After you type the slash key (/), the cursor goes to the bottom of the screen. Enter the search value and press Enter to execute the search.
Change the remainder of the line by typing C (make sure you capitalize the C). The last part of the command should disappear. Enter the following:
manpath | cut f1 d:´
The last character in the previous line is the backward apostrophe, which is usually found to the left of the 1 key on a PC keyboard.
After you type make, the system will compile the program and display several messages on the screen.
hping2 127.0.0.1 S p 22
Use the actual IP address of your system. Do not use 127.0.0.1.
Challenge Question: What is the primary difference between hping2 and the standard ping utility?
hping2 192.168.0.50 S p 22
Challenge Question: What is the benefit of hping2 displaying the TCP flags that were set in the return packets?
Challenge Question: Notice that the return packets have the SYN/ACK flags set, which is the second stage of the TCP three-way handshake. What does this indicate?
hping2 192.168.0.50 a 192.168.0.11 -S
Notice that no packets came back to the scanning system. That's because the spoofing option made the packets appear to be coming from another host.
Challenge Question: How can an attacker performing reconnaissance use spoofing?
Find additional information on hping at http://www.hping.org.
hping2 is a powerful, stealthy tool that can be used to find remote hosts and determine the services running on the remote hosts. You have learned how a scan can use spoofing to hide the identity of the scanning system. Remember this when you start reviewing log files for evidence of scans performed on your system. Just because it says it came from Host A does not mean it did.