5. HPING3
Description
hping3 is a network tool
able to send custom tcp/ip
packets and to display
target replies like ping
program does with icmp
replies. hping3 handle
fragmentation, arbitrary
packets body and size and
can be used in order to
transfer files encapsulated
under supported protocols.
General syntax
Hping3[options][interface]target
ip
Uses
test firewall rules
advanced port scanning
path mtu discovery
tracerout-under different
protocols
remote os fingureprinting
tcp/ip stack auditing
6. SOME IMPORTANT OPTIONS TO BE
USED IN HPING3
-h –help
-v –version
-I –interface name
--flood :Sent packets as
fast as possible, without
taking care to show
incoming replies
-V –verbose
-1 –icmp mode
-2 –udp mode
-8 –scan mode
-a –spoof hostname
-t –time to leave
-f –fragments
-p –port
-w –window
-F –to set fin flag
-S –to set SYN flag
-A –to set ACK flag
-T –traceroute
-d –datasize
-P --push
7. SCAPY
DESCRIPTION
Scapy is a powerful interactive packet manipulation program.
It is able to forge or decode packets of a wide number of
protocols, send them on the wire, capture them, match
requests and replies, and much more. It can easily
handlemost
tasks like scanning, tracerouting,probing, unit tests, attack
s or network discovery (it can replace hping, 85% of nmap,
arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
SYNOPSIS
scapy [-h] [-s file]
8. USAGE
Starting Scapy
Scapy’s interactive shell is run in a terminal session. Root privileges are
needed to send the packets, so we’re using sudo here:
$ sudo scapy
Welcome to Scapy (2.0.1-dev)
>>>
On Windows, please open a command prompt (cmd.exe) and make sure
that you have administrator privileges:
C:>scapy
INFO: No IPv6 support in kernel
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.0.1-dev)
>>>
9. OPTIONS AND COMMANDS
options
Options for scapy are:
-h display help screen and exit
-s FILE
use FILE to save/load session values (variables, functions,
intances, ...)
COMMANDS
Only the vital commands to begin are listed here for the moment.
ls() lists supported protocol layers. If a protocol layer is given as
parameter, lists its fields and types of fields.
lsc() lists some user commands. If a command is given as parameter,
its documentation is displayed.
conf this object contains the configuration.
10. EXAMPLES
Test the robustness of a network
stack with invalid packets:
sr(IP(dst="172.16.1.1", ihl=2,
options="0x02",
version=3)/ICMP())
Packet sniffing and dissection (with
a bpf filter or thetereal-like
output):
a=sniff(filter="tcp port 110")
a=sniff(prn = lambda x:
x.display)
Sniffed packet reemission:
a=sniff(filter="tcp port 110")
sendp(a)
Pcap file packet reemission:
sendp(rdpcap("file.cap"))
Manual TCP traceroute:
sr(IP(dst="www.google.com",
ttl=(1,30))/TCP(seq=RandInt(),
sport=RandShort(), dport=dport)
Protocol scan:
sr(IP(dst="172.16.1.28",
proto=(1,254)))
ARP ping:
srp(Ether(dst="ff:ff:ff:ff:ff:ff")/
ARP(pdst="172.16.1.1/24"))
ACK scan:
sr(IP(dst="172.16.1.28")/TCP(d
port=(1,1024), flags="A"))
Passive OS fingerprinting:
sniff(prn=prnp0f)
Active OS fingerprinting:
nmap_fp("172.16.1.232")
ARP cache poisonning:
sendp(Ether(dst=tmac)/ARP(o
p="who-has", psrc=victim,
pdst=target))
Reporting:
report_ports("192.168.2.34",
(20,30))
11. ETTERCAP AND WIRESHARK
ETTERCAP
Ettercap is a free and open
source network security tool
for man-in-the-middle
attacks on LAN. It can be used for
computer network protocol analysis
and security auditing. Ettercap
works by putting the network
interface into promiscuous
mode and by ARP poisoning the
target machines
WIRESHARK.
Wireshark is a free and open-
source packet analyzer used
for network troubleshooting,
analysis, software
&communications
protocol development, and
education. Wireshark is cross-
platform, using
the GTK+ widget toolkit in
current releases, and Qt in the
development version, to
implement its user interface,
and using pcap to capture
packets
12. TCP SYN FLOOD ATTACK
TCP SYN Flooding
Exploit state allocated at server after initial SYN packet
Send a SYN and don’t reply with ACK
Server will wait for 511 seconds for ACK
Finite queue size for incomplete connections (1024)
Once the queue is full it doesn’t accept requests
Command for SYN flood attack using hping3:
Hping3 –S –V --flood “taregt ip”
Using MSFCONSOLE
Use payload :- use auxilary/dos/tcp/syncflood
and set RHOST
13. PREVENTATION TECHNIQUES AGAINST SYN
FLOOD ATTACK
Use of Firewall
Enabling SYN cookies
SYN Cookies prevent an attacker from filling up your SYN queues
and make your services unreachable to the legitimate user.
On Linux, those are some settings you can use to enable and set up
SYN Cookies efficiently:
• echo 1 > /proc/sys/net/ipv4/tcp_syncookies
• echo 2048 /proc/sys/net/ipv4/tcp_max_syn_backlog
• echo 3 > /proc/sys/net/ipv4/tcp_synack_retries
14. ICMP FLOOD ATTACK
An ICMP flood typically occurs when ICMP echo requests
overload its victim with so many requests that it expends all its
resources responding until it can no longer process valid
network traffic.
Command for icmp flooding using hping
Hping3 -1 192.168.0.101 –flood
15. PROTECTION AGAINST ICMP FLOOD ATTACKS
Use Firewall
Setting up own server
In a ICMP/Ping flood, you can setup your server to ignore Pings, so
an attack will be only half-effective as your server won't consume
bandwidth replying the thousands of Pings its receiving.
You can do that by running this configuration:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
And naturally, add this line to the file /etc/sysctl.conf:
net.ipv4.icmp_echo_ignore_all = 1
Enabling ICMP Flood Protection by setting the ICMP flood threshold
value.
[edit]
user@host# set security screen ids-option 1000-icmp-flood icmp
flood threshold 1000
16. SMURF ATTACK
Send ICMP ping packet with
spoofed IP source address to
a LAN which will broadcast to
all hosts on the LAN
Each host will send a reply
packet to the spoofed IP
address leading to denial of
service
Command using hping3:
Hping3 –icmp –spoof
‘target ip’ ‘broadcast
ip’ --flood
17. PROTECTION AGAINST SMURF ATTACK
How to prevent your
network from being the
source of the attack:
Apply filters to each customer
network
Ingress:
Allow only those packets
with source addresses
within the customer’s
assigned netblocks
Apply filters to your
upstreams
Egress:
Allow only those packets with
source addresses within your
netblocks to protect others
Ingress:
Deny those packets with
source addresses within your
netblocks to protect yourself
This also prevents other
forms of attacks as well
18. ARP POISONING & IP SPOOFING (MITM)
ATTACK
A Man-In-The-Middle (MITM) attack is achieved when an attacker
poisons the ARP cache of two devices with the (48-bit) MAC address
of their Ethernet NIC (Network Interface Card). Once the ARP cache
has been successfully poisoned, each of the victim devices send all
their packets to the attacker when communicating to the other
device. This puts the attacker in the middle of the communications
path between the two victim devices; hence the name Man-In-The-
Middle (MITM) attack. It allows an attacker to easily monitor all
communication between victim devices.
19. ARP POISONING & IP SPOOFING (MITM)
ATTACK
STEPS
• Start ettercap
• Select unifide sniffing
• Scan for host
• Select target 1 and target 2 from host list
• Then start arp poisoning and sniff
• See the packets using WIRESHARK
• Before closing ettercap stop the MIM attack
20. PREVENTION AGAINST ARP POISONING & IP
SPOOFING ATTACK
Use of private Vlans
To prevent IP spoofing happen in your network, the following are
some common practices:
1- Avoid using the source address authentication. Implement
cryptographic authentication system-wide.
2- Configuring your network to reject packets from the Net that
claim to originate from a local address.
3- Implementing ingress and egress filtering on the border
routers and implement an ACL (access control list) that blocks
private IP addresses on your downstream interface.
If you allow outside connections from trusted hosts, enable
encryption sessions at the router.
21. FILTERING
if src_addr is from 10.10.0.0
then drop
else forward
if src_addr is from
10.10.0.0
then forward
else drop
10.10.10.0
22. TCP SESSION HIJACKING
TCP session hijacking is when a
hacker takes over a TCP session
between two machines. Since
most authentication only occurs
at the start of a TCP session, this
allows the hacker to gain access
to a machine.
Categories of TCP Session
Hijacking
Based on the anticipation of
sequence numbers there are
two types of TCP hijacking:
Man-in-the-middle (MITM)
Blind Hijack
23. PREVENT SESSION HIJACKING
Require the use of SSL encryption on all pages of
your website, or at least those pages that are used
to transmit cookies.
Ensure your wireless network uses WPA
encryption.
Provide a VPN to your users when they are away
from the office.
Be very careful with your organization's social
networking accounts; only grant access to a small
number of well-trained personnel.
24. REFLECTOR ATTACK
sender
dst: reflector
src: victim
reflector
VICTIM
ip spoofed packet
Oops, a lot of
replies without
any request…
Command using hping3:
Hping3 -1 spoof 192.168.0.104 192.168.0.101 –flood
Using scapy:
Send(ip(src=“ip”, dst=“ip”)/icmp())
25. IP FRAGMENTATION ATTACK
IP fragmentation is the process of breaking up a single Internet
Protocol (IP) datagram into multiple packets of smaller size so as to avoide
detection by network-based Intrusion Detection Systems (IDSs) anf firewall.
IP allows packets to be broken down into fragments for more efficient transport
across various media
The TCP packet (and its header) are carried in the IP packet
One of the type of ip fragmentation attack is TINY FRAGEMENT ATTACK
The tiny fragment attack is designed to fool a firewall or packet filter by creating an
initial fragment that is very small. It is so small, in fact, that it does not contain the
TCP port number. Instead, the TCP port number follows in the second packet.
Because the packet filter is looking for the port number to make filtering decisions,
it may allow the tiny initial fragment to pass through. Also, it may allow the second
fragment (which includes the rest of the TCP header, including the port number)
through. Furthermore, an IDS may not process the fragments properly and
therefore may not notice the attack.
28. PREVENTING IP FRAGMENT ATTACK
Prevention of the Tiny Fragment Attack In a router,
one can prevent this sort of attack by enforcing
certain limits on fragments passing through,
namely, that the first fragment be large enough to
contain all the necessary header information. There
are two ways to guarantee that the first fragment of
a "passed" packet includes all the required fields,
one direct, the other indirect.
