hping
hping extends the scope of information which may be gathered about asecure gateway's policy, allowing an attacker to assess the nature of the
filtering device, and to reverse engineer some of the policy.
hping functions by sending TCP packets to a specific port, and
detailing the response received from either the target host or devices en
route.
Typical Responses
The four states, which we may receive, allow us to identify either wherea connection was accepted or why and where it was rejected, dropped
or lost.
• SYN/ACK - If a SYN/ACK is received, then the port may be
considered to be open on the IP from which the response was
received.
• ICMP type 13 - If an ICMP type 13 packet is received, then the host
has administratively prohibited the connection - often a router will
use this response to implement it's ACL security policy.
• RST/ACK - If a RST/ACK packet is received, the packet was either
rejected by the IP stack on the host, or by an upstream security
device (e.g. a Checkpoint reject).
• Nothing - If no packet is received, then either the original packet did
not reach the target or an intermediary security device silently
dropped it.
Thus, considering an ftp server on IP address 10.2.1.1, we can initiate an
hping to port 21 on the host. We should receive a SYN/ACK (flags=SA)
response from the target IP.
By further examining the host, and trying to connect to the telnet port
(TCP/23) and receiving a RST/ACK (flags=RA) from host 10.3.1.1, we
have an interesting situation. If the RA flagged packet had come from
10.2.1.1 then it could be assumed the host was not listening for a telnet
connection. Since the RA came instead from a host upstream of the
target, it is likely to be a security device of some kind. If the packet had
been an ICMP Unreachable 13, then as previously mentioned, the
device would probably have been a router. Since it is an RA packet, the
rejecting host is most likely a firewall of some kind.
No comments:
Post a Comment