Friday, September 10, 2010

Another Great Tool

There are a number of good packet crafting tools available for Linux distributions, including scapy, nemesis and my favorite, hping.
hping was written by Salvatore Sanfilippo and is now in it's third major version (last updated in 2005).
It is a packet crafter, which means it allows you to construct and send packets independent of your TCP/IP stack built into your OS, using raw sockets. You can create TCP (the default), ICMP, UDP or raw IP packets (no higher level embedded protocol)
hping is a command line tool run inside a tcl interpreter, so you can make use of all of tcl's abilities to script your commands.
You can download the tool here.

A basic example of crafting your own packets:

Let's use hping to send an ICMP Address Mask Request. We need to to know the ICMP type and code  for this, which is type 18, no code. We would construct our command as follows:


hping -1 -C 18  10.10.10.1

Here we're telling hping to send an ICMP packet (-1) of Type 18 (-C) to address 10.10.1.1.

Hping will display a line like this showing what operation it's doing:
HPING 10.10.1.1 (eth0 10.10.1.1): icmp mode set, 28 headers + 0 data bytes

Any replay from the host will be printed to the screen. In this case, the destination address dropped our packets. When we kill the command (Control-C), we'll see the stats:

--- 10.10.1.1 hping statistic ---
15 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

There's a built-in macro for this command, which is icmp--addr, so we could have just run hping icmp-addrr 10.10.1.1.

Lets use hping to send a ping packet so we can see the results:

hping -1 -C 8 10.10.1.1

HPING 10.10.1.1 (eth0 10.10.1.1): icmp mode set, 28 headers + 0 data bytes
len=46 ip=10.10.1.1 ttl=255 id=30150 icmp_seq=0 rtt=0.4 ms
len=46 ip=10.10.1.1 ttl=255 id=15674 icmp_seq=1 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=46964 icmp_seq=2 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=23097 icmp_seq=3 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=8324 icmp_seq=4 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=7159 icmp_seq=5 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=19765 icmp_seq=6 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=54740 icmp_seq=7 rtt=0.2 ms
len=46 ip=10.10.1.1 ttl=255 id=30929 icmp_seq=8 rtt=0.2 ms
^C
--- 10.10.1.1 hping statistic ---
9 packets tramitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.4 ms

Just like using the ping command, we see our response showing the ttl, sequence number and round trip time.

Now lets use hping to send some data in a TCP packet. Suppose we just wrote a very simple  IDS signature that looked for the string "evil_string_123" and wanted test and make sure it worked.
First, we'd create a text file with the string in it. Lets say we called it packet_data.

Now we could use hping to fire that packets wit that string to a host that sits behind our IDS, then watch for our signature to fire.

hping -p -S -d 14 -E packet_data 10.10.1.2

Here we're using a TCP packet (the default, so we don't need to specify) with the Syn flag set (-S), a data size of 20  in a file called packet_data, going to host 10.10.1.2.

Running a sniff on the box we're using, we should see our string in the packet data, like this:


12:09:17.837181 IP 10.10.1.15.2572 > 10.10.80.203.22: Flags [S], seq 168566124:168566144, win 512, length 20
        0x0000:  4500 003c 412a 0000 4006 d37c 0a0a 010f  E..
        0x0010:  0a0a 0102 0a0c 0016 0a0c 1d6c 5796 3dbf  ..P........lW.=.
        0x0020:  5002 0200 a8f6 0000 6576 696c 5f73 7472  P.......evil_str
        0x0030:  696e 675f 3132 330a 0000 0000            ing_123.....



Salvatore goes in depth in using the tool, especially in the tcl shell for scripting here.

No comments:

Blog Archive