Hping2

Here we have 3 little examples of hping2 uses:

Host uptime:
------------

hping2 host -p 80 -S --tcp-timestamp

Scanning :
---------

Syn scan:
hping2 -S target -p ++80 (++ will increase the port, for each try)


hping2 --scan known target


IDLE SCAN using Hping2
----------------------

The Players:

host A - evil host, the attacker.
host B - silent host.
host C - victim host.

A is your host.
B is a particular host: It must not send any packets while
you are scanning C. There are a lot of 'zero traffic' hosts
in internet, especially in the night :)
C is the victim, it must be vulnerable to SYN scan.

I've called this scan method 'dumb host scan' in honour of host
B characteristics.


How it works:

Host A monitors number of outgoing packets from B using id iphdr.
You can do this simply using hping:

#hping B -r
HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms
-cut-
..
.

As you can see, id increases are always 1. So this host have the
characteristics that host B should to own.

Now host A sends SYN to port X of C spoofing from B.
(using hping => 0.67 is very easy, http://www.kyuzz.org/antirez)
if port X of C is open, host C will send SYN|ACK to B (yes,
host C don't know that the real sender is A). In this
case host B replies to SYN|ACK with a RST.
If we send to host C a few of SYN it will reply to B with a few
of SYN|ACK, so B will reply to C a few of RST... so
we'll see that host B is sending packets!

.
..
-cut-
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms
-cut-
..
.

The port is open!

Instead, if port X of C is closed sending to C a few
of SYN spoofed from B, it will reply with RST to B, and
B will not reply (see 3). So we'll see that host B is not sending
any packet:

.
..
-cut-
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms
-cut-
..


The port is closed.

All this can appear complicated to perform, but using two sessions
of hping on Linux virtual consoles or under X makes it more simple.
First session listen host B: hping B -r
Second session send spoofed SYN: hping C -a B -S

Metasploit Framework new Release!

I tried the new Metasploit Framework 2.3, it has 12 new exploits, new and improved payloads, improved performance, new msfweb interface and the best of all the Meterpreter (Meta-Interpreter) a new advanced payload, allows developers to write their own extensions in the form of shared object (DLL) files, that can be uploaded and injected into a running process on a target computer after exploitation has ocurred. So it never touch the disk!



It has 4 extensions now:

FS (cd, getcwd, ls, upload, download)

Net (Ipconfig, portfwd, route)

Process (kill, ps, execute)

Sys (sysinfo, getuid, rev2self)



It's a big step for the metasploit project, and it's really sweet ;)

Two little handy tools

This time i found 2 little scripts that i wrote some time ago:



word.pl: this is a command line dictionary, it will connect to www.dictionary.com and parse the results.I find it very useful, you don't to load the browser :)



translate.pl: this one is almost the same that the other, but it will translate a word from english to spanish (you could change the language easy). This also run from command-line.



They are very useful, unless for me ;)



Get it here:

http://www.edge-security.com/word-translate.tar

GoogleDigger v0.2

Well another perl tool, this time i wrote a program for the Google Hacking madness.

The tool, ask google for queries that it takes from a file , looking for known vulnerabilities in web applications (password files, config files, etc) of a specific domain.

The queries file is updatable, and it source is the GHDB (Google Hacking DataBase).

Language: Perl

Get it Here:

http://www.edge-security.com/googledigger-02.tar

GoogleHarvester Version 0.3

This tool searchs in google for all email addresses from a specific domain, to collect potential account names for the pentest. It supports the use of proxy.

Language: Perl

You can get a copy here:

http://www.edge-security.com/googleharvester-0.3.pl

ProxyFinder, a perl tool to find working proxies.

This program download and parse a list of open proxys, from 2 websites (samair and multiproxys), and then check if the proxies are working. Can test for GET and CONNECT method.

You could restrict the search for a specific number of working proxies.

Language: Perl

You can get a copy here:

http://www.edge-security.com/proxyfinder-0.3.pl

DigDug, a domain analyser tool.

This is a perl program for auditing a DNS, it will brute force a domain asking for hostnames taken from a predefined list. The list has the most common names used for hosts.

It supports hybrid querys to find a broader range of hosts.

You can download it here:

http://www.edge-security.com/digdug-0.8.tar