Security testing with hping
Perimeter Testing
Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports:
sudo hping3-a 10.0.44.45 -S james -c 2 -p 80
The result of the above command is that packets will appear to originate from the system at 10.0.44.45. Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.
In these cases, you don't have to use TCP. Using hping, you can generate UDP packets as well:
sudo hping3 targethost -c 2 --udp --baseport 80 --destport 80
The preceding command sends two UDP packets to port 80 on the target system from port 80 of your own system.
Of course, you can spoof the source IP address as well as the originating and destination ports:
sudo hping3 localhost -a 10.0.44.45 -c 2 --udp --baseport 80 --destport 80
Penetration Testing
It's not enough to just know about how to use hping3; you need to also understand the basics of a penetration test. A typical test includes the following basic steps:
- Network resource identification: This step is sometimes called network mapping, network footprinting, or target identification. The step involves scanning systems for open ports, fingerprinting operating systems, and determining the types of applications that are operating on open ports.
- Scanning for vulnerabilities: Looking for vulnerabilities on server, firewall, and VoIP operating systems. You also conduct tests designed to break the existing authentication scheme. Once you are finished cracking systems, you then prioritize resources you have identified. For example, a system may have a fairly serious vulnerability that might not be very important. You might need to actually assign this system a lower priority than others that are considered more vital, especially if the vulnerable system isn't likely to become a stage for an attack. Many times, this step is considered part of the network resource identification, but I like to treat this activity as something separate. Determining vulnerabilities is a complex task that requires quite a bit of analytical thought.
- Perimeter testing: A classic activity for hping3. For example, you can use hping3 to generate traffic that tests whether the firewall is capable of blocking spoofed internal packets.
- Intrusion detection testing: In this step, you generate traffic to see if the intrusion detection system is capable of identifying anomalies and problems. Applications such as hping3 are perfect for generating such anomalous traffic.
- Consideration of security policy and end user issues: In this step, you determine the effectiveness of the security policy, and how well the network's applications ensure compliance. You also determine how well end users comply with the security policy. Although this last step isn't really relevant to applications such as hping3, it's important to understand that an auditor does more than scan systems and generate packets.
Sending Files
Creating a tunnel is one way to find out what your firewall is capable of blocking. On your receiving system, issue the following command:
host$ sudo hping3 -i eth0 --listen signature --icmp
To send the contents of the file on your local system to a remote system named james, issue the following command:
user@host:~$ sudo hping3 -I eth0 localhost --icmp -d 100 --sign signature --file /etc/shadow
On your receiving system's terminal, you will see the output of the file you're sending (see Listing 4).
Listing 4
Sending a File
Notice that the contents of the file has been sent through the firewall. Also notice that I've decided to send the contents of a particularly sensitive file. Creating an ad-hoc tunnel in this way allows quick file transfer back and forth across a firewall. Furthermore, this feature is useful for testing exactly what a firewall is capable of blocking.
Choosing an Audit Type
At the risk of oversimplifying, two types of audits exist: blind and non-blind. A blind audit is one in which you adopt the perspective of a hacker who doesn't know about the network and has to discover all of the systems. With non-blind audit, you don't need to worry about discovering the systems; instead, you focus on scanning the systems for vulnerabilities. Regardless of the approach you take to auditing, your goal is to discover resources, show how to penetrate the defenses, and demonstrate how an attack could spread to other systems.
Simulating Attacks
The LAND attack [4], which first appeared in 1997, involves sending a spoofed packet with its SYN flag activated to a target host. This spoofed packet has the same source IP and source port as the target hosts's IP. When the attack first appeared, it caused unpatched Windows systems (and some Linux systems) to create an infinite connection loop and crash.
Many attackers exploited this bug to wage simple, sophomoric, and highly annoying denial of service attacks. More sophisticated users realized that such attacks were useful for hijacking attacks.
A new variation of the LAND attack turned up in 2005, and this classic technique could easily appear again.
Hping3 can help you ensure that your systems are immune to such an attack. Suppose you want to test a system with the IP address of 192.168.2.3 that has port 139 open. To do so, you would issue the following command:
sudo hping3 -S 192.168.2.3 -a 192.168.2.3 -k -s 139 -p 139 --flood
This attack could cause an unpatched target system to freeze. Also notice the --flood option, which sends thousands of packets to the system.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.