10:36 Anonymous port scanning using hping3 | |
To implement the necessary self-assured knowledge of TCP / IP and the desire understand. As a result, we will be able to scan a remote machine to open ports from foreign addresses on by the following scheme (picture of the manual for nmap):Theoretical IntroductionAs you can see on Wikipedia, everyone sends the IP packet is assigned its number (albeit fragmented packets have the same number), stored in a special 16ti bit field. overrun by field starts from zero. Having two rooms measuring a network packet can be seen on network activity observed computer. Installing the TCP connection is on a "triple handshake. "client sends a packet with flag set SYN, signaling the proposal to establish a connection. If the server can not create socket for the connection, it responds to the client with a packet counter offer SYN and confirmation ACK (which, in turn, the customer confirms their desire to establish a TCP connection packet with a flag ACK). If the server refuses the connection, it sends the client a denial of a package with the flag RST, at that turn the customer sadly remained silent. Based on this distinction we construct a scanning open ports on behalf of others. PracticeAs noted by the distinguished vanaf, the method will work if the scanned and the scanning hosts on the same subnet, or if a different scanner and dummy hosts must reside in the same subnet. To realize We will use one of the main tools for computer security specialist hping3. In the scheme involving 3 vehicles, conventionally called the attacking, the target and the dummy in whose name we're going to scan. The role of dummy machines to choose one that generates a minimal amount of traffic (in Ideally, does not generate at all). In order to find out intimate details of this fictitious machines, we will communicate with her and watch the numbers change packages. Ideally, the batch number on each of our communication with her must increase by one, which means that the this time it did not conduct more communication. To do this, run hping as follows: root @ Atom: ~ # hping3-r 192.168.2.140 HPING 192.168.2.140 (eth0 192.168.2.140): NO FLAGS are set, 40 headers + 0 data bytes len = 46 ip = 192.168.2.140 ttl = 128 id = 25378 sport = 0 flags = RA seq = 0 win = 0 rtt = 0.2 ms len = 46 ip = 192.168.2.140 ttl = 128 id = +1 sport = 0 flags = RA seq = 1 win = 0 rtt = 0.3 ms len = 46 ip = 192.168.2.140 ttl = 128 id = +1 sport = 0 flags = RA seq = 2 win = 0 rtt = 0.2 ms len = 46 ip = 192.168.2.140 ttl = 128 id = +1 sport = 0 flags = RA seq = 3 win = 0 rtt = 0.2 ms len = 46 ip = 192.168.2.140 ttl = 128 id = +1 sport = 0 flags = RA seq = 4 win = 0 rtt = 0.2 ms ^ C --- 192.168.2.140 hping statistic --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min / avg / max = 0.2/0.2/0.3 ms The-r says hping3 show growth rates subscription. see, with each of our communication it grows by 1, that is, free of unnecessary communication. We put this process on an infinite «ping» to monitor changes in the package id. Next, we need to target machine to send the proposal to establish a TCP connection, and sentence composed in a specific way: in the source package will install a fake address of the machine which is and will go the answers. If the specified port on the target machine is closed, it will send a fake machine failure (RST), which ignores the dummy machine. If the port is open. then target machine will send a counter proposal to establish a connection (SYN + ACK), in which dummy machine will have responded by denying that there is a package with a flag (RST). It is here we discover that our car resting before someone said something was in the when we sent the proposal to the connection on its behalf. To avoid accidents, the experiment is repeated. Send to a connection request on behalf of others can be as follows: root @ Atom: ~ # hping3-c 1 - S-a 192.168.2.140 192.168.2.1-p 5222 HPING 192.168.2.1 (eth0 192.168.2.1): S set, 40 headers + 0 data bytes --- 192.168.2.1 hping statistic --- 1 packets transmitted, 0 packets received, 100% packet loss Where: -c 1 means sending only one packet; -S set the flag SYN -a 192.168.2.140 as a source package to install the address 192.168.2.140 (the address of a fake car in our case) 192.168.2.1 address of target machine -p 5222 destination TCP port respond to the package we did not get because he left a fake car is likely to force her to respond by denying that we find. If the port is open, we will see the following picture: len = 46 ip = 192.168.2.140 ttl = 128 id = +1 sport = 0 flags = RA seq = 4 win = 0 rtt = 0.2 ms len = 46 ip = 192.168.2.140 ttl = 128 id = + 1 sport = 0 flags = RA seq = 5 win = 0 rtt = 0.2 ms len = 46 ip = 192.168.2.140 ttl = 128 id = +2 sport = 0 flags = RA seq = 6 win = 0 rtt = 0.2 ms len = 46 ip = 192.168.2.140 ttl = 128 id = +1 sport = 0 flags = RA seq = 7 win = 0 rtt = 0.2 ms len = 46 ip = 192.168.2.140 ttl = 128 id = +1 sport = 0 flags = RA seq = 8 win = 0 rtt = 0.2 ms Look at the third line of that dummy machine at the very moment of time to talk with someone else? "This is most likely the fault ( RST) to the offer of reciprocity (SYN + ACK), so dummy machine does not really kept sending SYN. ??To be sure, the experiment is repeated. For convenience, you can use the-i switch for the task and the time interval-p + + larger port 1 with each packet. ConclusionsThe same method can be banned and unsuspecting dummy car, if the target is an intrusion detection system. This is just one of many impressive applications hping3. They can ping if icmp is disabled (it sends the packet to the default TCP port to zero). It can also be used to transfer files even after strictly configured firewalls (at least through ping) to work as traceroute, not only on the basis of icmp, but both UDP and TCP, helps determine the remote OS, can be very specific trojan, and much more. I highly recommend to get acquainted with them closer.'s got a good HOW-TO;) If you like, accept gratitude. UPD: jcmvbkbc Thanks for the information that a similar trick can be done with nmap: nmap.org / book / idlescan.html | |
|
Total comments: 0 | |