hping2-howto.txt

网络流量生成工具,开源软件,也可以作为网络流量检测软件使用

  Obviously checking the id every 1/2 second instead of 1 second, increment
  will be half.

# hping www.yahoo.com -P 80 -A -r -i u 500000
ppp0 default routing interface selected (according to /proc)
HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes
40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=35713 win=0 rtt=327.0 ms
40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+806 win=0 rtt=310.0 ms
40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+992 win=0 rtt=320.0 ms
40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+936 win=0 rtt=330.0 ms
40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+987 win=0 rtt=310.0 ms
40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+952 win=0 rtt=320.0 ms
40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+918 win=0 rtt=330.0 ms
40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+809 win=0 rtt=320.0 ms
40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+881 win=0 rtt=320.0 ms

--- www.yahoo.com hping statistic ---
9 packets tramitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 310.0/320.8/330.0 ms

  N.B. Warning, using ip->id you are able only to guess *the number
       of packets sent/time*. You can't always compare different hosts.
       ip->id refers to all host interfaces and for example if an host
       use NAT or redirect TCP connections to another host (for example
       a firewall used to hide a web server) ip->id increment may
       result fakely increased.

  hpinging windows box without using --winid option you will see as
  increments are 256 multiple because different id byteordering. This
  can be really usefull for OS fingerprinting:

#hping win95 -r
HPING win95 (eth0 192.168.4.41): NO FLAGS are set, 40 headers + 0 data bytes
46 bytes from 192.168.4.41: flags=RA seq=0 ttl=128 id=47371 win=0 rtt=0.5 ms
46 bytes from 192.168.4.41: flags=RA seq=1 ttl=128 id=+256 win=0 rtt=0.5 ms
46 bytes from 192.168.4.41: flags=RA seq=2 ttl=128 id=+256 win=0 rtt=0.6 ms
46 bytes from 192.168.4.41: flags=RA seq=3 ttl=128 id=+256 win=0 rtt=0.5 ms

--- win95 hping statistic ---
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.5/0.5/0.6 ms

  Windows systems are "marked", so in order to discovery if an host is
  a Windows host you need to send just some packet.

How to perform spoofed SYN scan using incremental id? The following
is the original message to bugtraq about spoofed/indirect/idle scan method,
bottom i'll try to explain details and how this is possible even with UDP
with some restriction.

---- bugtraq posting about spoofed scanning ----

  Hi,

        I have uncovered a new tcp port scan method.
        Instead all others it allows you to scan using spoofed
        packets, so scanned hosts can't see your real address.
        In order to perform this i use three well known tcp/ip
        implementation peculiarities of most OS:

          (1) * hosts reply SYN|ACK to SYN if tcp target port is open,
            reply RST|ACK if tcp target port is closed.

          (2) * You can know the number of packets that hosts are sending
            using id ip header field. See my previous posting 'about the ip
            header' in this ml.

          (3) * hosts reply RST to SYN|ACK, reply nothing to RST.


        The Players:

          host A - evil host, the attacker.
          host B - silent host.
          host C - victim host.

        A is your host.
        B is a particular host: It must not send any packets while
          you are scanning C. There are a lot of 'zero traffic' hosts
          in internet, especially in the night :)
        C is the victim, it must be vulnerable to SYN scan.

        I've called this scan method 'dumb host scan' in honour of host
        B characteristics.


        How it works:

        Host A monitors number of outgoing packets from B using id iphdr.
        You can do this simply using hping:

#hping B -r
HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms
-cut-
..
.

        As you can see, id increases are always 1. So this host have the
        characteristics that host B should to own.

        Now host A sends SYN to port X of C spoofing from B.
        (using hping => 0.67 is very easy, http://www.kyuzz.org/antirez)
        if port X of C is open, host C will send SYN|ACK to B (yes,
        host C don't know that the real sender is A). In this
        case host B replies to SYN|ACK with a RST.
        If we send to host C a few of SYN it will reply to B with a few
        of SYN|ACK, so B will reply to C a few of RST... so
        we'll see that host B is sending packets!

.
..
-cut-
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms
-cut-
..
.

        The port is open!

        Instead, if port X of C is closed sending to C a few
        of SYN spoofed from B, it will reply with RST to B, and
        B will not reply (see 3). So we'll see that host B is not sending
        any packet:

.
..
-cut-
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms
-cut-
..
.

        The port is closed.

        All this can appear complicated to perform, but using two sessions
        of hping on Linux virtual consoles or under X makes it more simple.
        First session listen host B: hping B -r
        Second session send spoofed SYN: hping C -a B -S

        Sorry if my english is not so clear.
        However this posting is not adequate to describe exaustively
        this scan method, so i'll write a paper on this topic, specially
        about how to implement this in a port scanner (i.e. nmap), and
        about players characteristics and OS used.

happy new year,
antirez

---- EOF ----

  As you can see spoofed scanning is travial to perform, especially
  unsing hping2 you are able to specify micro seconds interval (-i uX)
  so you don't need that B host is a totally idle host. You may read
  id increment once every second sending 10 SYN every second. If you
  send an adequate SYNnumber/second expected id increment is so big
  that you are able to see if port is open or closed even if B host
  is sending other packets. Example:

# hping awake.host.org -p 80 -A -r
ppp0 default routing interface selected (according to /proc)
HPING server.alicom.com (ppp0 111.222.333.44): A set, 40 headers + 0 data bytes
40 bytes from 111.222.333.44: flags=R seq=0 ttl=249 id=47323 win=0 rtt=239.7 ms
40 bytes from 111.222.333.44: flags=R seq=1 ttl=249 id=+6 win=0 rtt=630.0 ms
40 bytes from 111.222.333.44: flags=R seq=2 ttl=249 id=+6 win=0 rtt=280.0 ms
40 bytes from 111.222.333.44: flags=R seq=3 ttl=249 id=+8 win=0 rtt=340.0 ms
40 bytes from 111.222.333.44: flags=R seq=4 ttl=249 id=+5 win=0 rtt=440.0 ms
40 bytes from 111.222.333.44: flags=R seq=5 ttl=249 id=+5 win=0 rtt=410.0 ms
40 bytes from 111.222.333.44: flags=R seq=6 ttl=249 id=+8 win=0 rtt=1509.9 ms
40 bytes from 111.222.333.44: flags=R seq=7 ttl=249 id=+4 win=0 rtt=1460.0 ms
40 bytes from 111.222.333.44: flags=R seq=8 ttl=249 id=+7 win=0 rtt=770.0 ms
40 bytes from 111.222.333.44: flags=R seq=9 ttl=249 id=+5 win=0 rtt=230.0 ms
...

  as you can see this host isn't in idle, it sends ~ 6 packets every second.
  Now scan www.yahoo.com's port 80 to see if it's open:

root.1# hping -a server.alicom.com -S -p 80 -i u10000 www.yahoo.com
ppp0 default routing interface selected (according to /proc)
HPING www.yahoo.com (ppp0 204.71.200.74): S set, 40 headers + 0 data bytes

[wait some second and press CTRL+C]

--- www.yahoo.com hping statistic ---
130 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

  Looking output of 'hping awake.host.org -p 80 -A -r' it's
  simple to understand that www.yahoo.com's port 80 is open:

40 bytes from 111.222.333.44: flags=R seq=59 ttl=249 id=+16 win=0 rtt=380.0 ms
40 bytes from 111.222.333.44: flags=R seq=60 ttl=249 id=+75 win=0 rtt=850.0 ms
40 bytes from 111.222.333.44: flags=R seq=61 ttl=249 id=+12 win=0 rtt=1050.0 ms
40 bytes from 111.222.333.44: flags=R seq=62 ttl=249 id=+1 win=0 rtt=450.0 ms
40 bytes from 111.222.333.44: flags=R seq=63 ttl=249 id=+27 win=0 rtt=230.0 ms
40 bytes from 111.222.333.44: flags=R seq=64 ttl=249 id=+11 win=0 rtt=850.0 ms

  note that 16+75+12+27+11+1-6 = 136 and that we sent 130 packets. So it's
  very realistic that increments are produced by our packtes.

  Tips: Using an idle host to perform spoofed scanning it's usefull to
	output only replies that show an increment != 1. Try
	`hping host -r | grep -v "id=+1"'