Security Testers Can Use Hping3 To Bypass Filtering Devices.

Diving deep into the world of network security often reveals tools that can be used for both ethical and malicious purposes. One such tool is hping3, a versatile packet crafting and network testing utility. Security testers leverage hping3 to identify vulnerabilities and weaknesses in network configurations, particularly when it comes to bypassing filtering devices. By understanding how hping3 works and its potential applications, professionals can better secure their networks against sophisticated attacks.

Understanding hping3: The Swiss Army Knife of Network Testing

hping3 is a command-line oriented TCP/IP packet assembler/analyzer. Created by Salvatore Sanfilippo (also known as Antirez), it's designed for security auditing and testing of networks. Unlike traditional ping utilities that only send ICMP echo requests, hping3 allows users to craft custom TCP, UDP, ICMP, and RAW-IP packets. This level of control makes it invaluable for penetration testers and network administrators alike.

Key Features of hping3

• Custom Packet Crafting: The core strength of hping3 lies in its ability to create packets with arbitrary header values. This includes setting specific source and destination ports, IP addresses, flags, and data payloads.
• Firewall Testing: hping3 is commonly used to probe firewalls and identify open ports or weaknesses in their rule sets.
• Network Performance Analysis: It can measure network latency, packet loss, and throughput.
• Advanced Scanning Techniques: hping3 supports various scanning techniques like SYN, ACK, FIN, and Xmas scans, allowing testers to identify the operating system and services running on a target host.
• Traceroute Functionality: It can perform traceroute operations to map network paths and identify potential bottlenecks.
• TCP/IP Stack Auditing: hping3 can be used to examine the behavior of a target host's TCP/IP stack and identify potential vulnerabilities.

Why Use hping3 to Bypass Filtering Devices?

Filtering devices, such as firewalls and intrusion detection systems (IDS), are designed to block or modify network traffic based on predefined rules. However, these devices are not foolproof. Attackers can exploit vulnerabilities in their configuration or employ techniques to evade detection. hping3 provides several methods for bypassing these filtering devices:

• Packet Fragmentation: Breaking down TCP packets into smaller fragments can confuse some filtering devices, as they may not be able to reassemble the fragments correctly to analyze the complete packet.
• Source Port Manipulation: Some firewalls rely on port-based filtering rules. By using hping3 to spoof the source port to a known and trusted port (e.g., port 53 for DNS), attackers can potentially bypass these rules.
• Flag Manipulation: TCP flags like SYN, ACK, FIN, RST, and URG control the state of a TCP connection. Manipulating these flags can create unusual packet sequences that may not be properly inspected by filtering devices.
• Idle Scanning: This technique allows an attacker to scan a target host indirectly through a zombie host, making it difficult to trace the attack back to the attacker's IP address. hping3 can be used to perform idle scans.
• Using Different Protocols: If a firewall primarily focuses on TCP traffic, hping3 can be used to send UDP or ICMP packets to probe for weaknesses.
• Traffic Rate Control: Some filtering devices are sensitive to high traffic volumes. hping3 allows testers to control the packet sending rate to avoid triggering rate-limiting mechanisms.

Techniques for Bypassing Filtering Devices with hping3

Here are some specific techniques that security testers can employ using hping3 to bypass filtering devices:

1. Packet Fragmentation

Packet fragmentation involves dividing a TCP packet into multiple smaller packets before sending them to the target. This can be used to bypass filtering devices that do not properly reassemble fragmented packets or have limitations in their fragment handling capabilities.

Command Example:

hping3 -c 1 -i u10 -M 16 -N 16 target_ip -p target_port -S -v

Explanation:

• -c 1: Sends only one packet.
• -i u10: Sends packets with a small delay (u means microseconds, so 10 microseconds delay). This is important for fragmentation, to allow the fragments to arrive separately.
• -M 16: Sets the TCP sequence number to 16. This is the starting sequence number for the first fragment.
• -N 16: Sets the TCP data offset to 16. This determines the size of the first fragment. Subsequent fragments will have an offset based on this value.
• target_ip: The IP address of the target host.
• target_port: The TCP port on the target host.
• -S: Sets the SYN flag, indicating a TCP connection request.
• -v: Verbose mode, displays more information about the packets being sent.

In this example, the original packet is fragmented into two packets. The first fragment has a sequence number of 16 and a data offset of 16. The second fragment will have a different sequence number and potentially a different data offset, depending on the amount of data being sent.

How it Bypasses Filtering: Some firewalls or intrusion detection systems may not properly reassemble fragmented packets before inspecting them. This can allow malicious payloads to bypass the filtering rules. The attacker sends multiple small fragments; the firewall may only inspect the first fragment, missing the malicious content in subsequent fragments.

2. Source Port Manipulation

Many firewalls are configured to allow traffic from specific source ports, such as port 53 (DNS) or port 80 (HTTP). By spoofing the source port, an attacker can potentially bypass these filtering rules.

Command Example:

hping3 -a 53 target_ip -p target_port -S -v

Explanation:

• -a 53: Spoofs the source address to port 53 (DNS).
• target_ip: The IP address of the target host.
• target_port: The TCP port on the target host.
• -S: Sets the SYN flag.
• -v: Verbose mode.

How it Bypasses Filtering: If the firewall allows traffic originating from port 53, the attacker can use hping3 to send malicious packets with a spoofed source port of 53, effectively bypassing the firewall's filtering rules. This technique is effective if the firewall is configured based on a whitelist of trusted ports.

3. TCP Flag Manipulation

TCP flags are used to control the state of a TCP connection. By manipulating these flags, an attacker can create unusual packet sequences that may not be properly inspected by filtering devices.

Command Example (Xmas Scan):

hping3 -X -F -U -p target_port target_ip -v

Explanation:

• -X: Sets the FIN flag.
• -F: Sets the PUSH flag.
• -U: Sets the URG flag.
• target_port: The TCP port on the target host.
• target_ip: The IP address of the target host.
• -v: Verbose mode.

This command sends a packet with the FIN, PUSH, and URG flags set. This is known as an Xmas scan because the flags resemble a Christmas tree.

How it Bypasses Filtering: Some firewalls may not be configured to handle packets with unusual flag combinations. An Xmas scan sends a packet with FIN, PSH, and URG flags set. A poorly configured firewall might not know how to handle this unusual packet, allowing it to pass through.

Command Example (SYN-ACK Spoofing):

hping3 -S -A -p target_port target_ip -v

Explanation:

• -S: Sets the SYN flag.
• -A: Sets the ACK flag.
• target_port: The TCP port on the target host.
• target_ip: The IP address of the target host.
• -v: Verbose mode.

This command sends a packet with both the SYN and ACK flags set, which is generally an unexpected combination.

How it Bypasses Filtering: Sending a SYN-ACK without a prior SYN can confuse some firewalls.

4. Idle Scanning

Idle scanning is an advanced technique that allows an attacker to scan a target host indirectly through a zombie host. This makes it difficult to trace the attack back to the attacker's IP address.

Prerequisites:

• An idle host (zombie host) with a predictable TCP sequence number.
• The target host that you want to scan.

Steps:

1. Find an Idle Host: Identify a host that is not actively communicating on the network. This host will be used as the zombie host. You need to determine its IP ID (IP Identification) sequence. This can be done by sending SYN-ACK packets to the potential zombie and observing the IP ID responses. The IP ID should increment predictably.
2. Craft Packets: Use hping3 to craft packets that will be sent to the target host, spoofing the source IP address to be the zombie host's IP address.
3. Analyze Responses: Analyze the TCP sequence numbers returned by the zombie host. Based on these sequence numbers, you can infer which ports are open on the target host.

Command Example (Simplified Illustration):

# Step 1: Identify a zombie host (example: 192.168.1.100)

# Step 2: Craft a SYN packet to the target (example: 192.168.1.200) spoofing the zombie's IP
hping3 -S -p target_port -a 192.168.1.100 192.168.1.200 -v

# Step 3: Analyze the response from the zombie
# This step requires careful analysis of the IP ID sequence of the zombie host

Explanation (Conceptual):

• The attacker sends a SYN packet to the target host, but the source IP address is spoofed to be the zombie host's IP address.
• The target host responds to the zombie host with a SYN-ACK packet.
• The zombie host, which did not initiate the connection, responds with an RST packet.
• By observing the IP ID of the zombie host before and after sending the packet to the target, the attacker can determine if the target port is open or closed. An increment in the IP ID suggests the port is open (because the zombie responded).

How it Bypasses Filtering: Because the target host believes the traffic is coming from the zombie host, and the attacker only observes the zombie's IP ID sequence, the attacker's IP address is hidden. This makes tracing the attack back to the attacker much more difficult.

Important Note: Idle scanning is a complex technique that requires a thorough understanding of TCP/IP and network behavior. The above example is a simplified illustration. The actual implementation involves more steps and analysis.

5. Using Different Protocols

If a firewall is primarily configured to filter TCP traffic, an attacker can attempt to bypass it by using other protocols such as UDP or ICMP.

Command Example (UDP):

hping3 --udp -p target_port target_ip -d 100 -v

Explanation:

• --udp: Specifies the UDP protocol.
• target_port: The UDP port on the target host.
• target_ip: The IP address of the target host.
• -d 100: Sends 100 bytes of data.
• -v: Verbose mode.

Command Example (ICMP):

hping3 --icmp -c 3 target_ip -v

Explanation:

• --icmp: Specifies the ICMP protocol.
• -c 3: Sends 3 ICMP packets.
• target_ip: The IP address of the target host.
• -v: Verbose mode.

How it Bypasses Filtering: If the firewall rules are focused on TCP traffic and less restrictive for UDP or ICMP, these packets might pass through. This allows the attacker to probe the network for vulnerabilities using these less-filtered protocols.

6. Traffic Rate Control

Some filtering devices are configured to rate-limit traffic, blocking or dropping packets if the traffic rate exceeds a certain threshold. hping3 allows testers to control the packet sending rate to avoid triggering these rate-limiting mechanisms.

Command Example:

hping3 -i u1000 target_ip -p target_port -S -v

Explanation:

• -i u1000: Sets the inter-packet interval to 1000 microseconds (1 millisecond).
• target_ip: The IP address of the target host.
• target_port: The TCP port on the target host.
• -S: Sets the SYN flag.
• -v: Verbose mode.

How it Bypasses Filtering: By controlling the packet sending rate, the attacker can avoid triggering rate-limiting mechanisms and potentially bypass the filtering device. A slow, stealthy approach can be more effective than flooding the network with packets.

Ethical Considerations

It's crucial to remember that using hping3 to bypass filtering devices should only be done with explicit permission from the network owner. Unauthorized use of these techniques is illegal and unethical. Security testers should always operate within the bounds of the law and with a clear understanding of the potential consequences of their actions. The purpose of using hping3 in this context is to identify vulnerabilities and improve network security, not to cause harm or disruption.

Defending Against hping3 Attacks

Understanding how hping3 can be used to bypass filtering devices is essential for building robust network defenses. Here are some strategies for mitigating these attacks:

• Proper Firewall Configuration: Ensure that your firewall rules are comprehensive and cover all relevant protocols and ports. Regularly review and update your firewall rules to address emerging threats.
• Intrusion Detection/Prevention Systems (IDS/IPS): Implement an IDS/IPS to detect and block malicious traffic patterns, including those generated by hping3. Configure your IDS/IPS to analyze fragmented packets, unusual flag combinations, and spoofed source ports.
• Rate Limiting: Implement rate limiting to prevent attackers from overwhelming your network with traffic.
• Traffic Analysis: Monitor network traffic for suspicious activity, such as unusual packet sizes, flag combinations, or source port patterns.
• Regular Security Audits: Conduct regular security audits to identify vulnerabilities in your network configuration and address them proactively.
• Educate Network Administrators: Ensure that your network administrators are trained on the latest security threats and best practices for configuring and maintaining filtering devices.
• Stateful Firewalls: Employ stateful firewalls that track the state of network connections. These firewalls are better equipped to handle fragmented packets and unusual TCP flag combinations. They maintain a record of active connections and can identify packets that do not belong to an established session.
• Deep Packet Inspection (DPI): Implement DPI to inspect the contents of network packets. DPI can identify malicious payloads that might be hidden within fragmented packets or obfuscated using other techniques.

Conclusion

hping3 is a powerful tool that can be used by security testers to identify vulnerabilities in network configurations and filtering devices. By understanding the various techniques for bypassing these devices, professionals can better protect their networks against sophisticated attacks. However, it's crucial to use hping3 ethically and responsibly, with the explicit permission of the network owner. The goal is to improve network security, not to cause harm or disruption. By combining a thorough understanding of hping3 with robust security practices, organizations can build resilient networks that are better equipped to withstand evolving threats. Understanding the tool's capabilities is the first step toward defending against its misuse. Continuous monitoring, regular security audits, and proactive mitigation strategies are essential for maintaining a secure network environment.