📜 ⬆️ ⬇️

Anonymous port scanning with hping3

For implementation, you need a confident knowledge of TCP / IP and the desire to understand. As a result, we will be able to scan a remote machine to open ports from another address using the following scheme (picture from the nmap manual):


Theoretical introduction

As you can see on Wikipedia , each IP packet being sent is assigned its number (albeit fragmented packets have one number), stored in a special 16-bit field. When the field overflows, the score starts from zero. By making 2 measurements of network packet numbers, you can judge the network activity of the monitored computer.
The TCP connection is established according to the “triple handshake” scheme. The client sends a packet with the SYN flag set to the server, signaling a proposal to create a connection. If the server manages to create a socket for the connection, it will respond to the client with a package with a counter-proposal SYN and an ACK confirmation request (where, in turn, the client confirms his desire to create a TCP connection with an ACK flag). If the server refuses to connect, it sends the client a failure in the form of a packet with the RST flag, which the client sadly rejects. Based on this difference, we will build a scan of open ports on behalf of others.


As the respected vanaf noted , the method will work if the scanned and scanning hosts are on the same subnet, or if different scan and fake hosts are to be on the same subnet.
To implement, we will use one of the main tools of a computer security specialist hping3 . The scheme involves 3 cars, conventionally called the attacking, target and fake, on whose behalf we will conduct the scan. In the role of a front machine, you must choose one that generates the minimum amount of traffic (ideally it does not generate at all). In order to find out this intimate detail of a dummy machine, we will communicate with it and watch the changes in package numbers. Ideally, the number of the package for each of our communication with it should increase by one, which means that during this period of time it did not lead any more communications. To do this, run hping as follows:
root@Atom:~# hping3 -r
HPING (eth0 NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip= ttl=128 id=25378 sport=0 flags=RA seq=0 win=0 rtt=0.2 ms
len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=1 win=0 rtt=0.3 ms
len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=2 win=0 rtt=0.2 ms
len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=3 win=0 rtt=0.2 ms
len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=4 win=0 rtt=0.2 ms
--- hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms

The -r switch tells hping3 to show the increment of the package number. As we see, with each of our communications, it grows by 1, that is, it is free from unnecessary communication. Put this process on an infinite "ping" to monitor the change in the package id.
Next, we need to send a request to the target machine to establish a TCP connection, and the proposal is composed in a specific way: in the source field of the packet we set the address of the dummy machine, to which the answers will go. If the specified port on the target machine is closed, then it will send a dummy machine (RST) to the dummy machine, which the dummy machine will ignore. If the port is open. then the target machine will send a counter offer to establish a connection (SYN + ACK), to which the dummy machine will be forced to refuse, i.e. the flag packet (RST). It is here that we find that our previously resting car had said something to someone at the very moment when we sent a proposal to connect on its behalf. To avoid accidents, the experiment is repeated.
You can send a connection request on behalf of someone else as follows:

root@Atom:~# hping3 -c 1 -S -a -p 5222
HPING (eth0 S set, 40 headers + 0 data bytes

--- hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss

Where: -c 1 means sending only one packet;
-S set the SYN flag
-a as the source of the package set the address (the address of the dummy machine in our case) address of the target machine
-p 5222 target TCP port

We did not receive a reply to the package because it was left to the dummy machine, probably to force it to refuse, which we will find.
In case the port is open, we will see the following picture:

len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=4 win=0 rtt=0.2 ms
len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=5 win=0 rtt=0.2 ms
len=46 ip= ttl=128 id=+2 sport=0 flags=RA seq=6 win=0 rtt=0.2 ms
len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=7 win=0 rtt=0.2 ms
len=46 ip= ttl=128 id=+1 sport=0 flags=RA seq=8 win=0 rtt=0.2 ms

Do you see on the 3rd line that the dummy machine managed to communicate with someone else at that very moment? Most likely this is a rejection (RST) of the reciprocity offer (SYN + ACK), so the dummy machine didn’t actually send a SYN. To be sure, the experiment is repeated.
For convenience, you can use the -i keys for the task of the time interval and -p ++ increasing the port by 1 with each packet.


The same method can also be used to ban an unsuspecting bogus machine if an intrusion detection system is on the target.
This is just one of the many impressive applications of hping3. They can ping when icmp is disabled (it sends a packet via TCP by default to the zero port). It can also be used to transfer files even through strictly configured firewalls (even though through ping), to work as a traceroute not only on the basis of icmp, but also on UDP and TCP, helps to determine the remote OS, it can be a very specific trojan and much more. I highly recommend to get to know him better. He has a good how-to;)
If you like, accept thanks.

Thanks to jcmvbkbc for the information that a similar trick can be done with nmap: nmap.org/book/idlescan.html

Source: https://habr.com/ru/post/106752/

All Articles