1. Testing ICMP:
In this example hping3 will behave like a normal ping utility, sending ICMP-echo
und receiving ICMP-reply
hping3 -1 0daysecurity.com
2. Traceroute using ICMP:
This example is similar to famous utilities like tracert
(Windows) or traceroute
(Linux) who uses ICMP packets increasing every time in 1 its TTL value.
hping3 --traceroute -V -1 0daysecurity.com
3. Checking port:
Here hping3 will send a SYN
packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
hping3 -V -S -p 80 -s 5050 0daysecurity.com
Lire la suite…
Hping
Wikipedia defines hping as :
hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.
On ubuntu hping can be installed from synaptic manager.
$ sudo apt-get install hping3
Syn flood
To send syn packets use the following command at terminal
$ sudo hping3 -i u1 -S -p 80 192.168.1.1
The above command would send TCP SYN packets to 192.168.1.1
sudo is necessary since the hping3 create raw packets for the task , for raw sockets/packets root privilege is necessary on Linux.
S
– indicates SYN
flag
p 80
– Target port 80
i u1
– Wait for 1 micro second between each packet
More options
Lire la suite…
Source: nixCraft
Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.
Following IP/netwok address are know to open this kind of attack:
Incoming source IP address is your servers IP address
Bad incoming address from following ranges:
- 0.0.0.0/8
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 192.168.0.0/16
- 224.0.0.0/3
- Your own internal server/network ip address/ranges.
Lire la suite…
Source: nixCraft
Following list summaries the common attack on any type of Linux computer:
Syn-flood protection
In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.
Force SYN packets check
Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Force Fragments packets check
Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP
XMAS packets
Incoming malformed XMAS packets drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Lire la suite…