Security testing with hping
Perimeter Testing
Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports:
sudo hping3-a 10.0.44.45 -S james -c 2 -p 80
The result of the above command is that packets will appear to originate from the system at 10.0.44.45. Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.
In these cases, you don't have to use TCP. Using hping, you can generate UDP packets as well:
sudo hping3 targethost -c 2 --udp --baseport 80 --destport 80
The preceding command sends two UDP packets to port 80 on the target system from port 80 of your own system.
Of course, you can spoof the source IP address as well as the originating and destination ports:
sudo hping3 localhost -a 10.0.44.45 -c 2 --udp --baseport 80 --destport 80
Penetration Testing
It's not enough to just know about how to use hping3; you need to also understand the basics of a penetration test. A typical test includes the following basic steps:
- Network resource identification: This step is sometimes called network mapping, network footprinting, or target identification. The step involves scanning systems for open ports, fingerprinting operating systems, and determining the types of applications that are operating on open ports.
- Scanning for vulnerabilities: Looking for vulnerabilities on server, firewall, and VoIP operating systems. You also conduct tests designed to break the existing authentication scheme. Once you are finished cracking systems, you then prioritize resources you have identified. For example, a system may have a fairly serious vulnerability that might not be very important. You might need to actually assign this system a lower priority than others that are considered more vital, especially if the vulnerable system isn't likely to become a stage for an attack. Many times, this step is considered part of the network resource identification, but I like to treat this activity as something separate. Determining vulnerabilities is a complex task that requires quite a bit of analytical thought.
- Perimeter testing: A classic activity for hping3. For example, you can use hping3 to generate traffic that tests whether the firewall is capable of blocking spoofed internal packets.
- Intrusion detection testing: In this step, you generate traffic to see if the intrusion detection system is capable of identifying anomalies and problems. Applications such as hping3 are perfect for generating such anomalous traffic.
- Consideration of security policy and end user issues: In this step, you determine the effectiveness of the security policy, and how well the network's applications ensure compliance. You also determine how well end users comply with the security policy. Although this last step isn't really relevant to applications such as hping3, it's important to understand that an auditor does more than scan systems and generate packets.
Sending Files
Creating a tunnel is one way to find out what your firewall is capable of blocking. On your receiving system, issue the following command:
host$ sudo hping3 -i eth0 --listen signature --icmp
To send the contents of the file on your local system to a remote system named james, issue the following command:
user@host:~$ sudo hping3 -I eth0 localhost --icmp -d 100 --sign signature --file /etc/shadow
On your receiving system's terminal, you will see the output of the file you're sending (see Listing 4).
Listing 4
Sending a File
Notice that the contents of the file has been sent through the firewall. Also notice that I've decided to send the contents of a particularly sensitive file. Creating an ad-hoc tunnel in this way allows quick file transfer back and forth across a firewall. Furthermore, this feature is useful for testing exactly what a firewall is capable of blocking.
Choosing an Audit Type
At the risk of oversimplifying, two types of audits exist: blind and non-blind. A blind audit is one in which you adopt the perspective of a hacker who doesn't know about the network and has to discover all of the systems. With non-blind audit, you don't need to worry about discovering the systems; instead, you focus on scanning the systems for vulnerabilities. Regardless of the approach you take to auditing, your goal is to discover resources, show how to penetrate the defenses, and demonstrate how an attack could spread to other systems.
Simulating Attacks
The LAND attack [4], which first appeared in 1997, involves sending a spoofed packet with its SYN flag activated to a target host. This spoofed packet has the same source IP and source port as the target hosts's IP. When the attack first appeared, it caused unpatched Windows systems (and some Linux systems) to create an infinite connection loop and crash.
Many attackers exploited this bug to wage simple, sophomoric, and highly annoying denial of service attacks. More sophisticated users realized that such attacks were useful for hijacking attacks.
A new variation of the LAND attack turned up in 2005, and this classic technique could easily appear again.
Hping3 can help you ensure that your systems are immune to such an attack. Suppose you want to test a system with the IP address of 192.168.2.3 that has port 139 open. To do so, you would issue the following command:
sudo hping3 -S 192.168.2.3 -a 192.168.2.3 -k -s 139 -p 139 --flood
This attack could cause an unpatched target system to freeze. Also notice the --flood option, which sends thousands of packets to the system.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.