LEGAL WARNING!

Use only system and network you own, or machines you have permission to hack into. Hacking into system or network without permission is a crime! Don’t do it! If you do illegal things, you may be arrested and go to jail, and I will be unable to save you. You will be responsible for your own actions. These instructions are intended to train computer security professionals, not to help criminals.

Sachin Jung Karki

12 Basic “Rules” to Protect You and Your Computer

1. Never leave your computer logged on unattended, even for a minute. Remember, you are responsible for any activity performed using your user id.

2. Always log off when you are done or are leaving your work area for an extended period of time.

3. Create an “uncrackable/ unguessable” password. A non-word with one or more numbers inserted in the middle (not on the ends) is the best choice.  To make a memorable and secure password use the letters from a phrase/song, add digits, and use upper and lower case letter (I Love Paris In The Spring – ILp1TS4 – inserted number one for the I).

4. Do not give your password to anyone for any reason or type your password when someone is watching. Don’t write down your password, include it in automated scripts, store it on your hard drive/PDA, and don’t ask the system to remember your id and password.  Employees should never log on with their user id/password and let someone else use their access.

5. Never send confidential or personal information (e.g., password, credit card or account information, social security number, driver’s license number, etc.) through the network. E-mail, chat, instant messaging, Internet Relay Chat (IRC – Internet version of CB radio that lets people all over the world have real time conversations) and talk are all equally unsafe.

6. To protect your computer against viruses and other security exploits install and routinely run anti-virus software.  Update your anti-virus software regularly to ensure new virus signatures will be detected.

7. Update your operating system on a regular basis with the latest security patches, updates and drivers. This will ensure that your computer is up-to-date and will help prevent against viruses and other security breaches.

8. Never make or use illegal duplicates/copies of software, manuals, images, music, video, etc.

9. Dispose of personal or confidential information in a secure manner (e.g., shred, wipe, incinerate).

10. Make sure your data and applications are properly backed up.  Store backups in a location away from the original source of the data (e.g., hard drive).

11. Make sure you protect your computer with surge protectors, by not eating or drinking near it, and by keeping your work area clean.

12. Maintain the confidentiality of all data, keeping in mind the privacy of all individuals.

Favourite Data Mining Applications

1. RapidMiner

RapidMiner is unquestionably the world-leading open-source system for data mining. It is available as a stand-alone application for data analysis and as a data mining engine for the integration into own products. Thousands of applications of RapidMiner in more than 40 countries give their users a competitive edge.

2. RapidAnalytics

Built around RapidMiner as a powerful engine for analytical ETL, data analysis, and predictive reporting, the new business analytics server RapidAnalytics is the key product for all business critical data analysis tasks and a milestone for business analytics.

3. Weka

Weka is a collection of machine learning algorithms for data mining tasks. The algorithms can either be applied directly to a dataset or called from your own Java code. Weka contains tools for data pre-processing, classification, regression, clustering, association rules, and visualization. It is also well-suited for developing new machine learning schemes.

4. PSPP

PSPP is a program for statistical analysis of sampled data. It has a graphical user interface and conventional command-line interface. It is written in C, uses GNU Scientific Library for its mathematical routines, and plotutils for generating graphs. It is a Free replacement for the proprietary program SPSS (from IBM) predict with confidence what will happen next so that you can make smarter decisions, solve problems and improve outcomes.

5. KNIME

KNIME is a user-friendly graphical workbench for the entire analysis process: data access, data transformation, initial investigation, powerful predictive analytics, visualisation and reporting. The open integration platform provides over 1000 modules (nodes)

6. Orange

Orange is an Open source data visualization and analysis for novice and experts. Data mining through visual programming or Python scripting. Components for machine learning. Add-ons for bioinformatics and text mining. Packed with features for data analytics.

Tutorial on how to Using Hping2

Hping2 is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired by the ping(8) Unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covert channel, and many other features. All header fields can be modified and controlled using the command line. A good understanding of IP and TCP/UDP is mandatory to use and understand the utility. While hping2 was mainly used as a security tool in the past, it can be used in many ways. Below is a subset of the stuff you can do using hping2:

  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced traceroute, under all the supported protocols
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stacks auditing
  • hping can also be useful to students that are learning TCP/IP.

­­­­­­­­­­­For a more detailed description and to download the binaries, visit http://www.hping.org. You can obtain a full working version of hping2 on a bootable CD (among other tools) at http://www.knoppix-std.org or on BackTrack.

While hping2 can do all of that, we will start by learning how hping2 can manipulate and craft packets for the testing of remote systems. We are going to start out easy and send different types of TCP packets with different flags set.

Hping2 is relatively easy to install on any *nix system. Go to the website and download it or use wget. Once it’s downloaded you can issue the configure, make & make install commands to compile and install the program. Once it’s installed you will see that hping2 has a ton of options. You can see them by issuing the man hping2 or hping2 –help command. I won’t promise we’ll go through them all but we are going to try.

Using Hping2 to Craft TCP Packets

Crafting TCP packets is the default behavior of Hping. By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets.

-F –fin set FIN flag
-S –syn set SYN flag
-R –rst set RST flag
-P –push set PUSH flag
-A –ack set ACK flag
-U –urg set URG flag
-X –xmas set X unused flag (0x40)
-Y –ymas set Y unused flag (0x80)

Before we start throwing packets all over your lab network, you should be aware that when you do not specify a destination port on the targeted computer it will default to 0. Also if you do not specify a source port it will use a random ephemeral port and go up numerically from there. P.S. I am going to use TCPDUMP to view the output of the hping2 packets/scans. If it’s a bunch of nonsense to you, I recommend you learn TCPDUMP basics (use Google).

-S (SYN) Packet

The first packet we are going to send is the –S Syn packet. The attacker computer is 192.168.0.105 and the computer we are attacking is 192.168.0.100.

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -S 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=18414 sport=0 flags=RA seq=0 win=0 rtt=149.9 ms
len=46 ip=192.168.0.100 ttl=128 id=18416 sport=0 flags=RA seq=1 win=0 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=18417 sport=0 flags=RA seq=2 win=0 rtt=0.4 ms
len=46 ip=192.168.0.100 ttl=128 id=18418 sport=0 flags=RA seq=3 win=0 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=18420 sport=0 flags=RA seq=4 win=0 rtt=1.6 ms
— 192.168.0.100 hping statistic —
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/30.6/149.9 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
14:19:22.506194 IP 192.168.0.105.2690 > 192.168.0.100.0: S 729051484:729051484(0) win 512
0x0000: 4500 0028 f5e2 0000 4006 02d0 c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0a82 0000 2b74 715c 00ee aed9 …d….+tq\….
0x0020: 5002 0200 d4aa 0000 P…….
14:19:23.649879 IP 192.168.0.105.2691 > 192.168.0.100.0: S 1045497134:1045497134(0) win 512
0x0000: 4500 0028 09bb 0000 4006 eef7 c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0a83 0000 3e51 052e 34a4 7513 …d….>Q..4.u.
0x0020: 5002 0200 340b 0000 P…4…
14:19:24.649886 IP 192.168.0.105.2692 > 192.168.0.100.0: S 734408221:734408221(0) win 512
0x0000: 4500 0028 79cb 0000 4006 7ee7 c0a8 0069 E..(y…@.~….i
0x0010: c0a8 0064 0a84 0000 2bc6 2e1d 1432 0224 …d….+….2.$
0x0020: 5002 0200 b107 0000 P…….

—–SNIP———
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

As you can see in blue, hping2 picked an arbitrary port, in this case 2690, and incremented by one each time. In orange is the target port of 0 on the remote system which stays 0 since we did not specify a destination port. We can tell that is a SYN packet by seeing the S in red. Additionally, I received ACKs back from the 192.168.0.100 machine but edited those out here. That explains why in the hping2 output I sent 5 packets and received 5 packets. They were ACKs to my SYN packets.

Sending a SYN packet by the initiating system is the first step in the TCP/IP 3 way handshake. The next step is for the replying computer to send back a SYN/ACK packet, and finally an ACK packet to complete the handshake process.

The SYN (Steath) Scan is one of the most common scans used by port scanners. When the scan was initially being used it was considered stealthy because connections were not logged if they did not complete the 3 way handshake process. This has sense been long remedied and most common Intrusion Detection Systems will alert on SYN Scans.

-R (RST) Packet

The next packet we are going to send is the –R Reset (RST) packet. The reset packet is used to reset a connection. As you can see the command syntax is very similar. The only change is in the actual switch itself. Instead of -S it is -R.

“The RST packet is often used to perform what is known as inverse mapping. What this means is that RST packets are sent out and the response received is what will tell you if the host exists or not. If you send out a RST scan you would get one of two things. You will either get no response which indicates to you that the host is probably alive or you’ll receive an ICMP host unreachable message. This would indicate that the host does not exist. This is what is known as inverse mapping. Some IDS systems will not log RST packets/scans due to the sheer multitude of them. This is why the inverse scan is popular.” [1]

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -R 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): R set, 40 headers + 0 data bytes

— 192.168.0.100 hping statistic —
6 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
13:52:02.992694 IP 192.168.0.105.2894 > 192.168.0.100.0: R 843167096:843167096(0) win 512
0x0000: 4500 0028 8689 0000 4006 7229 c0a8 0069 E..(….@.r)…i
0x0010: c0a8 0064 0b4e 0000 3241 b578 14bc b5a8 …d.N..2A.x….
0x0020: 5004 0200 6e56 0000 P…nV..
13:52:04.009817 IP 192.168.0.105.2895 > 192.168.0.100.0: R 378615428:378615428(0) win 512
0x0000: 4500 0028 d259 0000 4006 2659 c0a8 0069 E..(.Y..@.&Y…i
0x0010: c0a8 0064 0b4f 0000 1691 3684 60ba 0a6b …d.O….6.`..k
0x0020: 5004 0200 6839 0000 P…h9..
13:52:05.010133 IP 192.168.0.105.2896 > 192.168.0.100.0: R 1069416179:1069416179(0) win 512
0x0000: 4500 0028 5cd5 0000 4006 9bdd c0a8 0069 E..( …@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0b50 0000 3fbd fef3 51ed 7a0f …d.P..?…Q.z.
0x0020: 5004 0200 15c5 0000 P…….
13:52:06.009702 IP 192.168.0.105.2897 > 192.168.0.100.0: R 1038765926:1038765926(0) win 512
0x0000: 4500 0028 f915 0000 4006 ff9c c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0b51 0000 3dea 4f66 641a 6926 …d.Q..=.Ofd.i&
0x0020: 5004 0200 c5e0 0000 P…….
—SNIP—
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

-F (FIN) Packet

The FIN packet is used to close an established connection. It is also used to conduct a FIN Scan. When a closed port receives a FIN packet, it should respond with a RST packet while an open port should do nothing (ignore the packet).

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -F 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): F set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=20173 sport=0 flags=RA seq=0 win=0 rtt=34.2 ms
len=46 ip=192.168.0.100 ttl=128 id=20174 sport=0 flags=RA seq=1 win=0 rtt=0.8 ms
len=46 ip=192.168.0.100 ttl=128 id=20175 sport=0 flags=RA seq=2 win=0 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=20176 sport=0 flags=RA seq=3 win=0 rtt=0.5 ms
— 192.168.0.100 hping statistic —
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.5/9.0/34.2 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
14:47:52.920308 IP 192.168.0.105.1416 > 192.168.0.100.0: F 1501065776:1501065776(0) win 512
0x0000: 4500 0028 a604 0000 4006 52ae c0a8 0069 E..( ….@.R….i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0588 0000 5978 7230 4472 964e …d….Yxr0Dr.N
0x0020: 5001 0200 7fd4 0000 P…….
14:47:52.922503 IP 192.168.0.100.0 > 192.168.0.105.1416: R 0:0(0) ack 1501065777 win 0
0x0000: 4500 0028 4ecd 0000 8006 69e5 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 0588 0000 0000 5978 7231 …i……..Yxr1
0x0020: 5014 0000 5c81 0000 0000 0000 0000 P…\………
14:47:53.950386 IP 192.168.0.105.1417 > 192.168.0.100.0: F 378133699:378133699(0) win 512
0x0000: 4500 0028 e2c8 0000 4006 15ea c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0589 0000 1689 dcc3 42ae d092 …d……..B…
0x0020: 5001 0200 1faf 0000 P…….
14:47:53.950837 IP 192.168.0.100.0 > 192.168.0.105.1417: R 0:0(0) ack 378133700 win 0
0x0000: 4500 0028 4ece 0000 8006 69e4 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 0589 0000 0000 1689 dcc4 …i…………
0x0020: 5014 0000 34dc 0000 0000 0000 0000 P…4………
14:47:54.950227 IP 192.168.0.105.1418 > 192.168.0.100.0: F 716278911:716278911(0) win 512
0x0000: 4500 0028 3a33 0000 4006 be7f c0a8 0069 E..(: 3..@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 058a 0000 2ab1 8c7f 072d 4ef8 …d….*….-N.
0x0020: 5001 0200 18e6 0000 P…….
14:47:54.950539 IP 192.168.0.100.0 > 192.168.0.105.1418: R 0:0(0) ack 716278912 win 0
0x0000: 4500 0028 4ecf 0000 8006 69e3 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 058a 0000 0000 2ab1 8c80 …i……..*…
0x0020: 5014 0000 70f7 0000 0000 0000 0000 P…p………
14:47:55.950485 IP 192.168.0.105.1419 > 192.168.0.100.0: F 453633263:453633263(0) win 512
0x0000: 4500 0028 a536 0000 4006 537c c0a8 0069 E..(.6..@.S|…i
0x0010: c0a8 0064 058b 0000 1b09 e4ef 16f3 9998 …d…………
0x0020: 5001 0200 75b6 0000 P…u…
14:47:55.950800 IP 192.168.0.100.0 > 192.168.0.105.1419: R 0:0(0) ack 453633264 win 0
0x0000: 4500 0028 4ed0 0000 8006 69e2 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 058b 0000 0000 1b09 e4f0 …i…………
0x0020: 5014 0000 282e 0000 0000 0000 0000 P…(………

8 packets captured
8 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

You can see from the TCPDUMP output that the attacker computer 192.168.0.105 sends a FIN packet to 192.168.0.100, and in turn, because we are sending the packet to a most likely closed port, port 0, it returns a RST packet back. Most documentation will tell you that this scan usually doesn’t work anymore due to patching and whatnot, but the 192.168.0.100 computer is an XP Professional SP2 fully patched machine only. The firewall is completely turned off.

For giggles I tried to send FIN packets to ports I knew were open on the box, ports 135 & 445, and received RST back as well. So I guess that tells us something about the reliability of the scan against a Windows XP Box.

I am going to show the output of the scan here, but we will cover destination ports later so don’t worry too much about it now.

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -F 192.168.0.100 -p 135
HPING 192.168.0.100 (eth0 192.168.0.100): F set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=22178 sport=135 flags=RA seq=0 win=0 rtt=131.7 ms
len=46 ip=192.168.0.100 ttl=128 id=22181 sport=135 flags=RA seq=1 win=0 rtt=0.6 ms
len=46 ip=192.168.0.100 ttl=128 id=22182 sport=135 flags=RA seq=2 win=0 rtt=2.8 ms
len=46 ip=192.168.0.100 ttl=128 id=22183 sport=135 flags=RA seq=3 win=0 rtt=0.9 ms
— 192.168.0.100 hping statistic —
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.6/34.0/131.7 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
15:17:04.795615 IP 192.168.0.105.2805 > 192.168.0.100.135: F 879656640:879656640(0) win 512
0x0000: 4500 0028 9418 0000 4006 649a c0a8 0069 E..( ….@.d….i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0af5 0087 346e 7ec0 63a0 baf6 …d….4n~.c…
0x0020: 5001 0200 4e84 0000 P…N…
15:17:04.797291 IP 192.168.0.100.135 > 192.168.0.105.2805: R 0:0(0) ack 879656641 win 0
0x0000: 4500 0028 56a2 0000 8006 6210 c0a8 0064 E..(V…..b….d
0x0010: c0a8 0069 0087 0af5 0000 0000 346e 7ec1 …i……..4n~.
0x0020: 5014 0000 6f07 0000 0000 0000 0000 P…o………
15:17:05.922394 IP 192.168.0.105.2806 > 192.168.0.100.135: F 1281421513:1281421513(0) win 512
0x0000: 4500 0028 fb96 0000 4006 fd1b c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0af6 0087 4c60 f0c9 349c 85a8 …d….L`..4…
0x0020: 5001 0200 28da 0000 P…(…
15:17:05.922708 IP 192.168.0.100.135 > 192.168.0.105.2806: R 0:0(0) ack 1281421514 win 0
0x0000: 4500 0028 56a5 0000 8006 620d c0a8 0064 E..(V…..b….d
0x0010: c0a8 0069 0087 0af6 0000 0000 4c60 f0ca …i……..L`..
0x0020: 5014 0000 e50a 0000 0000 0000 0000 P………….
—SNIP—8 packets captured
8 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

ICMP Packets

Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -1 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms
len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms
len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms
— 192.168.0.100 hping statistic —
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.5/3.7/14.9 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
15:44:16.052016 IP 192.168.0.105 > 192.168.0.100: icmp 8: echo request seq 0
0x0000: 4500 001c 5161 0000 4001 a762 c0a8 0069 E…Qa..@..b…i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0800 8bb6 6c49 0000 …d….lI..
15:44:16.052673 IP 192.168.0.100 > 192.168.0.105: icmp 8: echo reply seq 0
0x0000: 4500 001c 69ee 0000 8001 4ed5 c0a8 0064 E…i…..N….d
0x0010: c0a8 0069 0000 93b6 6c49 0000 0000 0000 …i….lI……
0x0020: 0000 0000 0000 0000 0000 0000 0000 …………..

UDP Packets

Like I already mentioned, the default protocol for hping2 is the TCP. But just like with ICMP, if you want to send a UDP packet you can with hping2. We send UDP scans using the -2 (two) mode. Basically the syntax will be hping2 -2 IPADDRESS. UDP Scans can be useful when probing UDP services like NETBIOS, NFS, DNS, & NIS.

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -2 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
— 192.168.0.100 hping statistic —
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump udp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
15:55:32.164563 IP 192.168.0.105.2356 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 0b98 0000 4011 ed1b c0a8 0069 E…….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0934 0000 0008 748c …d.4….t.
15:55:33.190960 IP 192.168.0.105.2357 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c bc4e 0000 4011 3c65 c0a8 0069 E….N..@.<e…i
0x0010: c0a8 0064 0935 0000 0008 748b …d.5….t.
15:55:34.192154 IP 192.168.0.105.2358 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 7f81 0000 4011 7932 c0a8 0069 E…….@.y2…i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0936 0000 0008 748a …d.6….t.
15:55:35.190593 IP 192.168.0.105.2359 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 3a9c 0000 4011 be17 c0a8 0069 E…: …@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0937 0000 0008 7489 …d.7….t.
15:55:36.190661 IP 192.168.0.105.2360 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 6faa 0000 4011 8909 c0a8 0069 E…o…@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0938 0000 0008 7488 …d.8….t.
[root@localhost root]#

-S SYN Scan and Specifying Ports

Now we are going to start seeing the power of hping2 a little more. We are going to direct a SYN packet at a specified port, in this case port 135. To send a SYN packet at a specific port requires a few more switches. We are going to send a SYN (-S) packet to 192.168.0.100 specifically on port 135 by putting in the (-p) switch. The –p switch allows you to specify the destination port. To specify the source port on your machine you want the packet to go out on, you would use the -s switch followed by a port number just as the destination port example below.

HPING2 INPUT:

[root@localhost hping2-rc3]# hping2 -S 192.168.0.100 -p 135
HPING 192.168.0.100 (eth0 192.168.0.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 DF id=28733 sport=135 flags=SA seq=0 win=16616 rtt=122.8 ms
len=46 ip=192.168.0.100 ttl=128 DF id=28734 sport=135 flags=SA seq=1 win=16616 rtt=11.7 ms
len=46 ip=192.168.0.100 ttl=128 DF id=28737 sport=135 flags=SA seq=2 win=16616 rtt=1.4 ms
len=46 ip=192.168.0.100 ttl=128 DF id=28738 sport=135 flags=SA seq=3 win=16616 rtt=1.5 ms
— 192.168.0.100 hping statistic —
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.4/34.3/122.8 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
16:09:12.059187 IP 192.168.0.105.1839 > 192.168.0.100.135: S 15960697:15960697(0) win 512
0x0000: 4500 0028 596b 0000 4006 9f47 c0a8 0069 E..( Yk..@..G…i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 072f 0087 00f3 8a79 3a64 1ef1 …d./…..y:d..
0x0020: 5002 0200 3f4d 0000 P…?M..
16:09:12.061047 IP 192.168.0.100.135 > 192.168.0.105.1839: S 1298117721:1298117721(0) ack 15960698 win 16616 <mss 1460>
0x0000: 4500 002c 703d 4000 8006 0871 c0a8 0064 E..,p=@….q…d
0x0010: c0a8 0069 0087 072f 4d5f b459 00f3 8a7a …i…/M_.Y…z
0x0020: 6012 40e8 4034 0000 0204 05b4 0000 `.@.@4……..
16:09:12.069235 IP 192.168.0.105.1839 > 192.168.0.100.135: R 15960698:15960698(0) win 0
0x0000: 4500 0028 0000 4000 4006 b8b2 c0a8 0069 E..(..@ .@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 072f 0087 00f3 8a7a 0000 0000 …d./…..z….
0x0020: 5004 0000 9a9f 0000 P…….
[root@localhost root]#

An open port is indicated by a SA return packet (see the hping2 input), closed ports by a RA packet (see the other hping2 input where we sent the packet to port 0). Remember the TCP 3-way handshake! In this case the 192.168.0.100 computer responded with a SYN-ACK and the attacker computer responded with a RST to end the connection.

Now that you are starting to see the possibilities of crafting your own custom packets with hping2, it’s time for you to expand on the knowledge you have just acquired. Test out hping2 on your own and start to think creatively about ways in which this versatile tool can be used. Then you will be ready for the more advanced tutorial that will be arriving within the next few months.

References

This tutorial is very much based on Don Parker’s paper. I didn’t like that he didn’t show the hping output or explain very much on the tcpdump output so I attempted to improve upon his work by showing the output of the hping2 commands and going into more detail with the tcpdump output.

Getting Started

First steps

First of all you need a working hping3 installation. Go to the download page, and download the latest hping3 tar.gz available. Install it, and log in as the root user (you need this to send and receive raw packets).

To enter the hping3 interactive shell, just type:

# hping3
 

without any argument. If hping was compiled with Tcl scripting capabilities you should see a prompt. The prompt will accept any Tcl command, it’s actually a Tcl shell, what’s special about it is that there is a new command called hping, and support for big numbers using commands like +, , and so on.

As first try, you can type a simple command and see the result:

hping3.0.0-alpha-1> hping resolve www.google.com
66.102.9.104
 

The hping command should be called with a subcommand as a first argument (resolve in the example) and additional arguments according to the particular subcommand. The hping resolve command is used to convert a hostname to an IP address.

Ok, that’s the basic usage. Now we can start to try more advanced commands (you can find a complete list of commands in the hping3 API page). For example the hping send command can send TCP/IP packets that you can easily describe as strings:

hping3.0.0-alpha-1> hping send {ip(daddr=192.168.1.8)+icmp(type=8,code=0)}
 

This command means “send an ICMP echo request packet to 192.168.1.8”. Many details of the packet can be omitted. For example we didn’t specify our source address (that will default to the real source address of the sender, the one of the outgoing interface), nor the IP or ICMP checksum. hping will compute them for us.

Let’s check what tcpdump running at 192.168.1.8 detected:

tcpdump: listening on eth0
19:09:16.556695 192.168.1.6 > 192.168.1.8: icmp: echo request [ttl 0]
19:09:16.556803 192.168.1.8 > 192.168.1.6: icmp: echo reply
 

Our ICMP packet reached the destination, that kindly replied with an ICMP echo reply packet.
It’s better to recall for a second the previous command, to analyze it better:
hping3.0.0-alpha-1> hping send {ip(daddr=192.168.1.8)+icmp(type=8,code=0)}
As you can see, there are { and } surrounding the packet description. This is required by Tcl in order to quote the string so that special characters will not be interpreted. Quoting with {} in Tcl is just like to quote with “” in most other languages, with the difference that no escapes are recognized inside {} quoting.
The second thing to note is the format we used to describe the packet. That’s called APD, and was introduced with hping3 itself. The APD syntax is trivial, and there is a simple way to figure how to generate a given packet, because hping3 use this format to send packets, but also to receive packets as we will see in a moment.

Tcl inside
Before to show how it’s possible to receive packets, I want to stress the fact that we are inside a Tcl interpreter, so we can use any of the Tcl abilities in hping scripts.

The following hping script will send the same ICMP packet we already sent to 192.168.1.8, but using different TTL values, from 5 to 10.

foreach i [list 5 6 7 8 9 10] {
    hping send "ip(daddr=192.168.1.8,ttl=$i)+icmp(type=8,code=0)"
}
 

With scripts longer then one line it can be a good idea to write the script with a text editor, and then run it using hping:

# hping exec foo.htcl
 

– Cut&paste it into the hping interactive shell also works well.
Note that because this example uses a variable i to increment the ttl value on every iteration of the foreach, we used “” rather than {} quoting so that $i would be expanded to the value of i.

I think it’s clear now that in order to make a good use of hping3 you need to learn the Tcl language. The good news are that Tcl is a very powerful language, but it’s very easy to learn, and if you learn Tcl you will enjoy it in many different tasks related or not to hping. The best site about Tcl is the Tcler’s Wiki.

Packet reception
Another very important subcommand of hping is hping recv, that is used to capture packets from the specified interface. The simplest usage is the following:

hping3.0.0-alpha-1> hping recv eth0
ip(ihl=0x5,ver=0x4,tos=0x00,totlen=52,id=42833,fragoff=0,mf=0,df=1,rf=0,ttl=54,proto=6,cksum=0xd53a,saddr=192.106.224.132,daddr=192.168.1.6)+\
tcp(sport=6667,dport=52466,seq=2163829654,ack=3105171942,x2=0x0,off=8,flags=a,win=2848,cksum=0x99bd,urp=0)+\
tcp.nop()+tcp.nop()+tcp.timestamp(val=181365875,ecr=104872758)
 

Because the received packet description is too long I added newlines quoted with \, but actually hping will read the packet as a unique string.

hping recv returns a Tcl list, where every element is a packet (but by default it will be just one-element list).

At every call, hping recv eth0 will return the packet(s) in queue. If there is no packet to receive the command will block until one is available.

If you don’t want hping recv to block forever, you can specify an additional argument. One more argument will tell hping the max number of packets to return in a single call. To learn the details please check the hping recv page in this wiki.

Note that the command always returns a Tcl list of packets, even when just one packet is returned. So if you want to use the returned packets you need to use Tcl list commands (as we will see in a moment). Another thing to note is that the packets are received in APD format, so it’s possible to get a packet, possibly manipulate it, and resend the packet using hping send.

The following is an example script using hping recv.

while 1 {
    set p [lindex [hping recv eth0] 0]
    puts "[hping getfield ip saddr $p] -> [hping getfield ip ttl $p]"
}
 

The first line is just a while loop that will repeat the script provided as second argument forever. The second line, set p [lindex [hping recv eth0] 0] gets the next packet, the lindex command is used to extract the packet from the Tcl list (and the 0 argument tells lindex to get the first packet).

The second line of code, puts “…”, print on the screen the source IP address and the TTL value of the packet. To extract fiels from packets there is the command hping getfield (see the specific page for more information as usually).

If you execute this script, you’ll get an output similar to the following:

# ./hping3 exec /tmp/test.tcl
192.168.1.6 -> 128
192.168.1.20 -> 128
 

the script will dump the packets until you press ctrl+C.

A more complex example

The following is a more real-world example, an hping script used to analyze the Initial Sequence Number of a TCP/IP stack implementation. This example uses Tk in order to be able to display a spectrogram of the ISN increments in graphic. Note that the script is quite “rude” in order to make it as simple as possible (otherwise it will hardly be good in order to learn hping3 by examples).

Before to show the actual code, I want to show an example output for Linux and Windows.
That’s Linux:

While that’s what I get with Windows 2000:

To appreaciate the real difference about the two OSes note the scale indication in the pictures.

Note that the script sends SYN packets to the target host always using the same IP address, so it does only check how random the increment is in a particular situation. But if your TCP/IP stack will show a bad spectrogram in this context, there is already something of bad (think about dialups, or DSL lines with dynamic IP, I can connect, sample a given host, reconnect with a different IP and try to do IP spoofing with the previous one).

Finally that’s the hping3 script to do the actual analysis:

# isn-spectrogram.htcl -- show the ISN increments "spectrogram".
# Copyright(C) 2003 Salvatore Sanfilippo.
#
# All rights reserved.
#
# Here the idea is very simple, in operating systems implemeting
# ISN as random increments, it is useless to analyze the whole
# sequence number, because the random part is just the increment.
# Morover, some weaknes isn't about correlation between previous
# and successive increments, but just about increments don't show
# a good distribution. So the idea is to display a spectrogram
# of the increments distribution instead of the more complex to read
# 3D attractors (See [1]). This way is possible to see at least some of
# the common vulnerabilties you can discover with 3D attractors,
# but it is much simpler to guess how hard is to exploit the system
# just from the picture.
#
# [1] http://razor.bindview.com/publish/papers/tcpseq.html
#
# Please if you make this script better write me back the
# changes. (antirez@invece.org).
#
# The script requires Tk to run.
 
package require Tk
source hpingstdlib.htcl
 
if {$argc != 3} {
    puts stderr "Usage: isn-spectrogram <host> <scale> <open-tcp-port>"
    puts stderr "Example: isn-spectrogram www.example.com 100000 80"
    exit
}
 
set bgcolor {#000000}
wm title . {hping3 -- attractors}
set w .main
frame $w
pack $w -side top
. config -background $bgcolor
$w config -background $bgcolor
 
# canvas
set xres 800
set yres 800
canvas $w.can -width $xres -height $yres
$w.can config -background $bgcolor
pack $w.can -fill both -expand true
 
# globals
foreach {hostname div dport} $argv break
set sport 1
#set dport 80
set target [hping resolve $hostname]
set targetif [outifname $target]
set myip [hping outifa $target]
set isnqueue {}
set relative_attractor 1
set lastisn 0
#set div 10000000
 
hping setfilter $targetif "tcp and src host $target"
 
 
$w.can create rectangle 40 450 139 450 -fill white -width 0
$w.can create text 90 470 -fill white -text [expr $div*100]
 
proc sendsyn {} {
    global sport dport myip target
    append syn "ip(saddr=$myip,daddr=$target,ttl=255)+"
    append syn "tcp(sport=$sport,dport=$dport,flags=s)"
    hping send $syn
    incr sport
    after 1 sendsyn
}
 
proc recvsynack {} {
    global lastisn relative_attractor
 
    set packets [hping recv eth0 0 0]
    foreach p $packets {
      if {![hping hasfield tcp flags $p]} continue
      set isn [hping getfield tcp seq $p]
      if {$relative_attractor} {
              set tisn [expr abs($isn-$lastisn)]
              set lastisn $isn
              set isn $tisn
      }
      #puts "ISN: $isn"
      displaypoint $isn
    }
    after 10 recvsynack
}
 
proc displaypoint isn {
    global w xres yres pastcol div
 
    set isn [expr $isn/$div]
    set y 300
    set x $isn
    puts "$x $y"
    if {[haskey pastcol $x.$y]} {
      set graylevel [incr pastcol($x.$y) 10]
    } else {
      set pastcol($x.$y) 0
      set graylevel 0
    }
    if {$graylevel >= 256*3} {
      set graylevel [expr (256*3)-1]
    }
    if {$graylevel <= 255} {
      set b $graylevel
 
      set g 0
      set r 0
    } elseif {$graylevel <= 511} {
      set b 0
      set g [expr $graylevel - 256]
      set r 255
    } elseif {$graylevel <= 767} {
      set b 255
      set g 255
      set r [expr $graylevel - 512]
    }
    set color [format "#%02X%02X%02X" $r $g $b]
    $w.can create rectangle $x $y [expr $x+1] [expr $y+100] -fill $color -width 0
}
 
after 1 sendsyn
after 1 recvsynack
 
vwait forever
 
# vim: filetype=tcl softtabstop=4
 

If you know some basic Tcl/Tk you will find it very simple to read I hope. Note that if you want to run this code you require a little hping standard library, but both this program and the lib itself are under the /lib directory of the hping3 distribution, so don’t bother to retype it from this page.
That’s how to use the script against a Linux box.

cd /your/path/hping3/lib
../hping3 exec isn-spectrogram.htcl <target-host> 100000 25
 

Note that ’25’ is an open port, you need to specify an open TCP port for the target system. 100000 is instead the scale, if you see that the graph is bigger than the screen use a bigger scale value, if you see it concentrating in the left of the screen and very dense, use a lower one. auto-scaling is trivial but not implemented in that script.

Network and System Penetration Testing for Security Assessment

A pentest simulates methods that intruders use to gain unauthorized access to an organization’s networked systems and then compromise them. Compromised system then can be used in any destructive work or as a part of botnet in country wide cyber terrorism. In the context of penetration testing, the tester is limited by resources- namely time, skilled resources, and access to equipment- as outlined in the penetration testing agreement.

Most attackers follow a common approach to penetrate a system or network which includes several stages and methods. In this part the organization and the tester both take backups, recovery of data and failover recovery prevention. It is better to make image of critical systems and servers’ image and then test them in a virtualized lab environment.

Common Penetration Testing Techniques

Penetration testing that is not completed professionally can result in the loss of the business continuity. Penetration testing assesses the security model of the organization as a whole. It reveals potential consequences of a real attacker breaking into the network. A penetration tester is differentiated from an attacker only by his intention and lack of malice.

The Need of Penetration testing:

  1. Identify the threats facing an organization’s information assets
  2. Reduce an organization’s IT security costs and provide a better Return On IT Security Investment (ROSI) by identifying and resolving vulnerabilities and weaknesses
  3. Provide an organization with assurance- a through and comprehensive assessment of organizational security covering policy, procedure, design and implementation
  4. Gain and maintain certification to an industry regulation (BS7799, HIPPA, etc.)
  5. Adopt best practice by conforming to legal and industry regulations
  6. For testing ad validating the efficiency of security protections and controls
  7. It focuses in high severity vulnerabilities and emphasizes application-level security issue to development teams and management
  8. Providing comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation
  9. Evaluating the efficiency of network security devices such as firewall, routers, gateways and web servers
  10. For changing or upgrading existing infrastructure of software, hardware or network design

Type of Penetration Testing

  1. Black-Box (Zero-Knowledge Test)
  2. White-Box (Complete Knowledge Test)
  3. Gray-Box Testing (Some/ Partial Knowledge Test)

Black-Box Test:

In this approach, the Vulnerability Test team with no real information about the target environment. This type of test is designed to provide the most realistic Vulnerability test possible since attackers, in many cases, start with no real knowledge of the target system. This method uses the fingerprinting methods along with use of exploits modules and gaining access into system. Dumpster driving will be additional advantage in this method.

White-Box Test:

In the full-knowledge test, the Vulnerability test team has as much information about the client environment as possible. This approach is designed to simulate an attacker who has intimate knowledge of the target organization’s systems, such as an actual employee would posses. This method usually starts with employee survey and network inventory.

Gray-Box Test:

In this approach the test team is provided with information a motivated attacker is likely to find. This approach saves time and expense. It is used if there is a specific kind of attack or specific targeted host that customers want to have the Vulnerability test team focus on. To conduct a partial knowledge test, the test team is provided with such documents as policy and network topology documents, asset inventory, and other valuable information.

External on-demand penetration testing

An External Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed to the outside world. An External Penetration Test mimics the actions of an actual attacker exploiting weaknesses in the network security without the usual dangers. This test examines external IT systems for any weakness that could be used by an external attacker to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organization to address each weakness.

External Penetration Test follows best practice in penetration testing methodologies which includes:

  • Footprinting
  • Public Information & Information Leakage
  • DNS Analysis & DNS Bruteforcing
  • Port Scanning
  • System Fingerprinting
  • Services Probing
  • Exploit Research
  • Manual Vulnerability Testing and Verification of Identified Vulnerabilities
  • Intrusion Detection/Prevention System Testing
  • Password Service Strength Testing
  • Remediation Retest (optional)

Why Should I Perform an External Penetration Test?

IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organization to conduct independent testing of the Information Security Program to identify vulnerabilities that could result in unauthorised disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).

The Internet-facing components (website, email servers, etc.) of the organization’s network are constantly exposed to threats from hackers.

Best Practice requires that each organization should perform an External Penetration Test in addition to regular security assessments in order to ensure the security of their external network.

Internal Penetration testing

An Internal Penetration Test differs from a vulnerability assessment in that it actually exploits the vulnerabilities to determine what information is actually exposed. An Internal Penetration Test mimics the actions of an actual attacker exploiting weaknesses in network security without the usual dangers. This test examines internal IT systems for any weakness that could be used to disrupt the confidentiality, availability or integrity of the network, thereby allowing the organization to address each weakness.

Internal Penetration Test follows documented security testing methodologies which can include:

  • Internal Network Scanning
  • Port Scanning
  • System Fingerprinting
  • Services Probing
  • Exploit Research
  • Manual Vulnerability Testing and Verification
  • Manual Configuration Weakness Testing and Verification
  • Limited Application Layer Testing
  • Firewall and ACL Testing
  • Administrator Privileges Escalation Testing
  • Password Strength Testing
  • Network Equipment Security Controls Testing
  • Database Security Controls Testing
  • Internal Network Scan for Known Trojans
  • Third-Party/Vendor Security Configuration Testing

The report generated as the output of this work is designed for both executive/board level and technical staff.

Why should we perform an Internal Penetration Test?

Internal Penetration testing allows organizations to test, if an attacker had the equivalent of internal access how they may they may have access to perform unauthorized data disclosure, misuse, alteration or destruction of confidential information, including Non-Public Personal Information (NPPI).

The internal network, (file servers, workstations, etc.), of the organization is exposed to threats such as external intruders, after breaching perimeter defenses, or malicious insiders attempting to access or damage sensitive information or IT resources.  Therefore organizations are encouraged to test the internal network at least as frequently as they do the external perimeter.

Best Practice recommends that each organization perform an Internal Penetration Test as part of their regular Security Program in order to ensure the security of their internal network defenses.

Social Engineering Testing

We have provided Social Engineering testing to many organizations throughout the world. During the Social Engineering testing, we’ experts attempt to manipulate an organization’s employees into allowing unauthorized access to confidential information. This allows the organization to test their Information Security Policy and their employees’ adherence to that policy. By hiring us to perform this test, the organization can identify failure points and train its staff in order to prevent an actual breach. We has designed techniques that can be performed both onsite and remotely.

During an onsite engagement, we will use various techniques to gain physical access to obtain records, files, and/or equipment that may contain confidential information.

The onsite engagement techniques typically include:

  • Dumpster diving
  • “Trusted Authority” disguises, such as fire inspectors, air conditioning repairman, pest control man, etc.
  • Employee Impersonation (IT Help Desk, New Hire and Auditor)

The onsite engagement tests for the following vulnerabilities:

  • Proper Disposal of Sensitive Data
  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Sensitive Area Security
  • Device/System Compromise
  • Technical Preventive and Detective Controls

The remote Social Engineering engagement involves the manipulation of the organizations by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI (Non-Public Personal Information) or other confidential information.

The remote engagement techniques typically include:

  • Pretext Calling (e.g. Employees and Help Desk Teams)
  • Phishing
    • Email based (Attempting to get employees to login to organization branded portals)
    • Physical honeypots (CD’s & USB Keys – This uses items planted to lure employees to run payloads)

The remote engagement can include tests for the following:

  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Privacy Filtering
  • Technical Preventive and Detective Controls

Why Should I Perform Social Engineering Testing?

Social Engineering allows organizations to test the response to an active attack and allows an it to measure the effectiveness of the Information Security Awareness of it’s employees.

Penetration Tools List

Since I get asked a lot which tools I typically use for doing certain parts of testing, I’ve decided to compile a short list of stuff I might use in an engagement. They are….

Let me just say that I’m subject to use Backtrack in any phase. For update information regarding the attack, virus and worms I always use Symantec Threat Monitor.

Phase 1 Passive Reconnaissance

  1. Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals on social network)
  2. Netcraft (find passive info about web servers.)
  3. Whois Lookup
  4. Geo Spider
  5. Google Earth
  6. IP2Country
  7. People Finder
  8. Maltego
  9. Domain Lookup (Domain Tools, My-addr.com)
  10. HTTrack
  11. Webripper
  12. Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.)
  13. Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)

Phase 2 Scanning

  1. Nmap (CLI or GUI)
  2. SuperScan
  3. Firewalk
  4. Hping2 or Hping3
  5. Modem Scan
  6. MAC Scanner
  7. WMI Scanner
  8. THC Scan
  9. Tone Loc
  10. p0f
  11. Solarwinds
  12. TCP Traceroute

Phase 3 Vulnerability Research

  1. (I pretty much go manual here, but there’s always Nessus, ISS and others).
  2. I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research.
  3. Places I check are Secunia, Seclist, Milw0rm, Eeye, Metasploit.com, Securiteam, and a few others.
  4. Vendor websites.

(There are some tools like GFI LanGuard, Retina Network Security, OpenVAS, Nexpose, Metasploit and MBSA which I always recommend but to be updated I take references from Internet)

Phase 4 Penetration Testing/ Hacking

Breaking in

  1. Manual exploit code
  2. Metasploit
  3. Core Impact (Large scale (5000 or more nodes to penetrate).

Password Cracking

  1. Kerb Crack
  2. Pwdump
  3. Cain & Able
  4. John the Ripper
  5. Rainbow Crack
  6. Hydra

Trojans & Rootkit

  1. I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.

Phase 5 Going Deeper

  1. Dsniff
  2. Tcpdump
  3. Arpspoof
  4. Putty
  5. Recub
  6. Scapy (to trick devices and anything else which accepts or send packets)
  7. WebScarab (studying HTTPS and other secure authentication processes)
  8. IDA Pro (reversing any custom apps I find being used internally).
  9. Olly Debug (same as above).
  10. Yersinia (VLAN hopping, and other low stack level attacks)

Phase 6 Covering Tracks

  1. RM, delete, erase, etc (obviously).
  2. Clearlogs
  3. Wipe utility
  4. ADS
  5. Winzapper (not a big fan, but when I have to…..)

There are some additional tools that the tester can use are listed below.

Footprinting
* Greenwhich
* Whois
* Gnetutil (Network Utilities)
* Itrace (ICMP traceroute)
* Tctrace (TCP traceroute)
* Traceroute
* DNSwalk (DNS verification)
* Dig (DNS lookup)
* Host (DNS lookup)
* NSTXCD (IP over DNS client)
* NSTXD (IP over DNS server)
* Oxyman (DNS tunnel)
* Curl (URL transfer)
* Elinks (Console web browser)
* Konqueror (Web browser)
* Socat (Socket Cat)
* Stunnel (Universal SSL tunnel)
* Arpfetch (SNMP ARP/IP fetcher)
* SNMPWalk (SNMP tree walk)
* TKMib (Mib browser)
* GQ (LDAP browser)
* Komba2 (KDE SMB browser)
* LinNeighborhood (Graphical SMB browser)
* Net utils (NET utilities)
* SMBClient (SMB client)
* SMBGet (SMB downloader)
* Smb4K (SMB share browser)
* Xsmbrowser (Graphical SMB browser)
* nmblookup (Netbios name lookup)
* smbdumpusers (User browser)
* smbgetserverinfo (Get server info)
* Cheops (Network neighborhood)
* NTP-fingerprint (Detection based on ntp fingerprint)
* Nmap (Network scanner)
* NmapFE (Graphical network scanner)
* P0f (Passive OS fingerprinting)
* Queso (OS detection)
* XProbe2 (OS detection)

Scanning
* Cisco global exploiter (Cisco scanner)
* Cisco torch (Cisco oriented scanner)
* ExploitTree search (ExploitTree collection)
* Metasploit (Metasploitcommandline)
* Metasploit (Metasploit console GUI)
* Metasploit (Metasploit web interface)
* Nessus (Security Scanner)
* Raccess (Remote scanner)
* Httprint (Webserver fingerprinting)
* Nikto (Webserer scanner)
* Stunnel (Universal SSL tunnel)
* Cheops (Network neighborhood)
* GTK-Knocker (Simple GUI portscanner)
* IKE-Scan (IKE scanner)
* Knocker (Simple portscanner)
* Netenum (Pingsweep)
* Netmask (Requests netmask)
* Nmap (Network scanner)
* NmapFE (Graphical network scanner)
* Proxychains (Proxifier)
* Scanrand (Stateless scanner)
* Timestamp (Requests timestamp)
* Unicornscan (Fast port scanner)
* Isrscan (Source routed packets scanner)
* Amap (Application identification)
* Bed.pl (Application fuzzer)
* SNMP-Fuzzer (SNMP protocol fuzzer)
* ScanSSH (SSH identification)
* Nbtscan (Netbios scanner)
* SMB-Nat (SMB access scanner)
* Ozyman (DNS tunnel)
* Ass (Autonomous system scanner)
* Protos (Protocol identification)

Analyzer
* AIM-SNIFF (AIM sniffer)
* Driftnet (Image sniffer)
* Mailsnarf (Mail sniffer)
* Paros (HTTP interception proxy)
* URLsnarf (URL sniffer)
* smbspy (SMB sniffer)
* Etherape (Network monitor)
* Ethereal (Network analyzer)
* Ettercap (Sniffer/Interceptor/Logger)
* Hunt (Sniffer/Interceptor)
* IPTraf (Traffic monitor)
* NGrep (Network grep)
* NetSed (Network edit)
* SSLDump (SSLv3/TLS analyzer)
* Sniffit (Sniffer)
* TcPick (Packet stream editor)
* Dsniff (Password sniffer)

Spoofing
* Arpspoof (ARP spoofer)
* Macof (ARP spoofer/generator)
* Nemesis-ARP (ARP packet generator)
* Nemesis-Ethernet (Ethernet packet generator)
* CDP (CDP generator)
* DNSSpoof (DNS spoofer)
* Nemesis-DNS (DNS packet generator)
* DHCPX (DHCP flooder)
* Hping2 (Packet generator)
* ICMPRedirect (ICMP redirect packet generator)
* ICMPUSH (ICMP packet generator)
* Nemesis-ICMP (ICMP packet generator)
* Packit (Traffic inject/modify)
* TcPick (Packet stream editor)
* Yersinia (Layer 2 protocol injector)
* Fragroute (Egress rewrite)
* HSRP (HSRP generator)
* IGRP (IGRP injector)
* IRDP (IRDP generator)
* IRDPresponder (IRDP response generator)
* Nemesis-IGMP (IGMP generator)
* Nemesis-RIP (RIP generator)
* File2Cable (Traffic replay)
* Fragrouter (IDS evasion toolkit)
* Nemesis-IP (IP packet generator)
* Nemesis-TCP (TCP packet generator)
* Nemesis-UDP (UDP traffic generator)
* SendIP (IP packet generator)
* TCPReplay (Traffic replay
* Etherwake (Generate wake-on-LAN)

Bluetooth
* BTScanner (Bluetooth scanner)
* Bluesnarfer (Bluesnarf attack)
* Ghettotooth (Bluetooth scanner)
* Kandy (Mobile phone tool)
* Obexftp (Obexftp client)
* Phone manager
* RFComm (Bluetooth serial)
* RedFang (Bluetooth bruteforce)
* USSP-Push (Obex-push)
* XMinicom (Terminal)

Wireless
* apmode.sh (Act as accesspoint)
* Airpwn (Client penetration)
* Hotspotter (Client penetration)
* GpsDrive
* start-gps-daemon (GPS daemon)
* stop-gps-daemon (GPS daemon)
* ASLeap (LEAP/PPTP cracker)
* Genkeys (Hash generator for ASLeap)
* Airforge
* File2air (Packet injector)
* Void11
* Void11-Hopper (Channel hopper)
* GKismet (Graphical wireless scanner)
* GPSMAP (wireless mapping)
* KLV (Kismet Log Viewer)
* Kismet (Ncurses wireless scanner)
* Wellenreiter (Graphical Wireless scanner)
* 802ether (Dumpfile format convertor)
* airodump (Traffic recorder)
* aircrack (Modern WEP cracker)
* Aireplay (Wireless packet injector)
* Wep_Crack (Wep Cracker)
* Wep_Decrypt (Decrypt dump files)
* Airsnort (GUI based WEP cracker)
* ChopChop (Active WEP attack)
* DWEPCrack (WEP cracker)
* Decrypt (Dump file decrypter)
* WEPAttack (Dictionary attack)
* WEPlab (Modern WEP cracker)
* Cowpatty (WPA PSK bruteforcer)
* changemac.sh (MAC address changer)

Bruteforce
* ADMsnmp (SNMP bruteforce)
* Guess-who (SSH bruteforc)
* Hydra (Multi purposebruteforce)
* K0ldS (LDAP bruteforce)
* Obiwan III (HTTP bruteforce)
* SMB-Nat (SMB access scanner)
* TFTP-bruteforce
* VNCrack (VNC bruteforce)
* Xhydra (Graphical bruteforcer

Password cracker
* BKHive (SAM recovery)
* Fcrackzip (Zip password cracker)
* John (Multi-purpose password cracker)
* Default password list
* Nasty (GPG secret key cracker)
* Rainbowcrack (Hash cracker)
* Samdump2 (SAM file dumper)
* Wordlists (Collection of wordlists)

Forensics
* Autopsy (Forensic GUI)

*DEFT Linux

*Helix 3 Boot Disk

*CAIN Boot Disk
* Recover (Ext2 file recovery)
* Testdisk (Partition scanner)
* Wipe (Securely delete files)

Honeypot
* IMAP
* POP3
* Honeyd (Honeypot)
* IISEmulator (Honeypot)
* Tinyhoneypot (Simple honeypot)

Strategies of Penetration Test

External Penetration Test:

  1. Web Servers
  2. Mail Servers
  3. Firewalls
  4. Routers and Gateway Devices

References:

Top 10 Password Crackers

http://www.oxid.it/cain.html
http://www.openwall.com/john/
http://freeworld.thc.org/thc-hydra/
http://www.aircrack-ng.org/
http://www.l0phtcrack.com/
http://airsnort.shmoo.com/
http://www.solarwinds.com/
http://www.foofus.net/fizzgig/pwdump/
http://project-rainbowcrack.com/
http://www.hoobie.net/brutus/

Top Packet Sniffers

http://www.wireshark.org/
http://www.kismetwireless.net/
http://www.tcpdump.org/
http://ettercap.sourceforge.net/
http://www.monkey.org/~dugsong/dsniff/
http://www.stumbler.net/
http://www.ntop.org/
http://etherape.sourceforge.net/
http://kismac.de/

Top Scanners

http://www.cirt.net/nikto2
http://www.parosproxy.org/index.shtml
http://www.wiretrip.net/rfp/
http://portswigger.net/suite/
http://www.acunetix.com/
http://www.nstalker.com/products
http://www.nessus.org/nessus/
http://www.gfi.com/lannetscan/
http://www.eeye.com/…cts/Retina.aspx
http://www-arc.com/sara/
http://www.qualys.com/

 

Windows Tools for Penetration Testing

Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities. However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system.

HashCheck Shell Extension

The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files).

Netcat

Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

Metasploit Framework

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

RealVNC Viewer

Remote access software for desktop and mobile platforms.

GetIf

SNMP tool that allows you to collect information about SNMP devices.

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

Wireshark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development.

PuTTY

PuTTY is an SSH and telnet client for the Windows platform.

Pass The Hash Toolkit

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes.

Cachedump

Recovering Windows Password Cache Entries.

Fport

Identify unknown open ports and their associated applications.

Nbtscan

This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares.

Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Winfo

Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.

ClearLogs

ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer.

SQLDict

SQLdict is a dictionary attack tool for SQL Server.

PMDump

PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.

GrabItAll

GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too.

DumpUsers

DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1.

BrowseList

BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading).

Remoxec

Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation).

WMICracker

Brute-force tool for Windows Management Instrumentation (WMI).

Venom

Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled.

SMBAT

The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms.

RPCScan

RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins.

LSASecretsDump

LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window.

SQLPing

SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever.

OAT

The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.

Pwdump7

Extract password hashes from local user accounts.

PsTools

The PsTools package provides a set of command line utilities that allow you to manage local and remote systems.

Incognito

Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators.

DumpSec

DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.

X-Deep32

X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc.

LC5

Windows password cracker.

Ophcrack

Ophcrack is a free Windows password cracker based on rainbow tables.

SiVuS

SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations.

 

Vulnerability Scanning with OpenVas

Installing OpenVAS

The simplest way of installing all of required parts of the openvas suite is to issue the following commands in a terminal window.

root@bt:~#apt-get update
root@bt:~#apt-get install openvas

The package openvas is a “master” package that holds all of the info required to automatically download all of the other packages that make up the full openvas suite of tools.

Location of OpenVAS menu entries

Once openvas has been installed you will find all the of menu entries in this location.

 Openvas check setup

openvas-check-setup is a very useful tool, here it is showing how it can help diagnose problems and give advice on how to fix them.

Setting up OpenVAS

Step 1. Adding a user

From the menu, select Openvas Adduser and follow instructions.

Note that you can use any username you like but in this case I have just used root. I have left it at the default of password authentication as I am going to be using this on a local machine and to save having to worry about the users having certs to worry about, but this is entirely up to you. You cannot have an empty password so I have used toor in this case. For the rules applied to this user I have left them blank by pressing ctrl-d This means that this user will be able to perform any tasks without any restrictions.

Step 2. Making the Certificate

From the menu, select Openvas mkcert and follow instructions.

Here we create the SSL cert This is used if you decided to use cert instead of pass when you created the user, but you are required to create it anyway even if you decide not to use certs.

Step 3. Syncing the NVT’s

At this point we need to get the latest set of nvt’s. These are what the scanner uses to detect the vulnerabilities in what you are scanning. Please note you will need to do this quite regularly, and the first time you do it could take a while depending on the speed of your computer and internet.

So select OpenVAS NVT Sync from the menu

Step 4. Starting the scanner

Start Openvas scanner

Now we are ready to start the scanner

This WILL take a while the first time you start it as it checks and loads the new NVT’s you have downloaded in the previous step.

Note the time in the corner ! This was in a VM so it should be much quicker for you.

Subsequent starts will be quick unless you have not updated in quite some time

Please remember that the scanner runs as a daemon in the background and will keep running until you reboot or stop it with the menu entry provided.

Step 5. Setup OpenVAS manager

Setting up openvas manager

First thing we need to do is make a client cert for Openvas manager, This is done by running the following command

openvas-mkcert-client -n om -i

now we need to rebuild the database as it is now out of date with the added nvt’s and we would otherwise get errors about the database. You should do this each time you update the NVT’s. This is done with a simple command

openvasmd --rebuild

This process will only take a few seconds if using openvas-libraries version 4.0.3 or below.

This process can take much longer if using openvas-libraries version 4.0.5 or above. The tradeoff for this extra time is much greater scanning capabilities, so it is worth it.

Step 6. Setup OpenVAS Administrator

Setting up Openvas Administrator

We need to create an administrative user that we will be using to perform all of our vulnerability assesments. This is done by running the following command

openvasad -c 'add_user' -n openvasadmin -r Admin

openvasadmin is the username I have chosen to become this user, you however can substitute that with something better suited to you if you so choose. Make sure you can remember this username and associated password as you WILL need it when running openvas.

root@bt:~# openvasad -c 'add_user' -n openvasadmin -r Admin
Enter password: 
ad   main:MESSAGE:5871:2011-05-26 04h57.08 BST: No rules file provided, the new user will have no restrictions.
ad   main:MESSAGE:5871:2011-05-26 04h57.08 BST: User openvasadmin has been successfully created.
root@bt:~#

Starting OpenVAS Manager

Now we need to start Openvas Manager

This runs as a daemon in the background. As I am running everything from my local machine I will be using localhost to listen on and in this case the default port. This is done by running the following command.

openvasmd -p 9390 -a 127.0.0.1

Starting OpenVAS Administrator

Now we need to start Openvas Administrator

This also runs as a daemon in the background. As I am running everything from my local machine I will be using localhost to listen on and in this case the default port. This is done by running the following command.

openvasad -a 127.0.0.1 -p 9393

Starting Greenbone Security Assistant

Now we need to start Greenbone security Assistant

This again runs as a daemon in the background. As I am running everything from my local machine I will be using localhost to listen on and in this case the default port. This is done by running the following command.

gsad --http-only --listen=127.0.0.1 -p 9392

More info on the above commands and other options can be found by running their associated menu entry and by looking at the man pages. As all three of these run as a daemon and will continue running until you shutdown you computer, I have provided menu entries for you so as you can stop them when you no longer need them.

At this point your installation is essentially complete, but as we have got this far we may as well continue to make sure everything is working as expected.

OpenVAS user interfaces

Greenbone security desktop

Now we need to start an application to enable you to communicate with the scanner and other daemons.

The first of these choices is greenbone security desktop

Start this from the menu item and fill in the credentials and details we created earlier, then click the login button.

Once logged in you can use this as your scanning interface, or use the next choice of you prefer.

Web interface

This next method is via a web interface

Open your favorite browser and enter the following address

127.0.0.1:9392

You will then be presented with a login page. login with the credentials we created earlier.

Once you have logged in, you will notice that your CPU usage will hit the roof, don’t worry, this will return to normal in short while.

Here you can perform and setup all of your scanning tasks. It is a good idea to set NoScript to Temporarily allow 127.0.0.1 or you may get unexpected results.

There is much more to OpenVAS than I have included here, but this is only intended to get you up and running quickly. Scans and more advanced setups are beyond the scope of this simple tutorial. Don’t forget about some of the other parts to openvas contained within the menu that I have not covered here and also the man pages.

Once you have completed the setup process

Starting OpenVAS with greenbone security desktop as the scanning interface

From the menu select

Openvas NVT sync

Start Openvas scanner

then in a terminal window

openvasmd --rebuild
openvasmd -p 9390 -a 127.0.0.1
openvasad -a 127.0.0.1 -p 9393
gsad --http-only --listen=127.0.0.1 -p 9392

Then from the menu

Start Greenbone Security Desktop

and login

You are now ready to setup your scanning tasks.

Starting OpenVAS with a web browser as the scanning interface

From the menu select

Openvas NVT sync

Start Openvas scanner

then in a terminal window

openvasmd --rebuild
openvasmd -p 9390 -a 127.0.0.1
openvasad -a 127.0.0.1 -p 9393
gsad --http-only --listen=127.0.0.1 -p 9392

Then open your browser to the address

http://127.0.0.1:9392

Login.

You are now ready to setup your scanning tasks.