hping and firewall testing

hping2 is a feature rich utility. However it is new to me. Could you some please tell me which syntax(es) could I do to test our firewall externally?

I am trying to use HPING to find out the firewall which nmap and nessus could not find.

The nmap syntax is nmap -v -sT sV -P0 -O.

Any suggestions/comments/advise are much appreciated.

Many thanks!

DF

Reply to
Doug Fox
Loading thread data ...

Reply to
Doug Fox

For using hping, it's a good idea to learn scripting and TCL. Also it's needed to understand the TCP/IP protocol family very well.

You can find information and discussion for hping in the hping wiki:

formatting link
There you'll find much information about your question.

Yours, VB.

Reply to
Volker Birk

What error message did they report?

OK - minor point; you are not scanning "all" ports on the firewall though this may or may not be relevant. See the -p option. Also, if your firewall is "reacting" to your probes by adding a temporary or permanent rule to "protect itself" from "attacks", you may want to read about nmap's -D option and think what would happen if one of those addresses used were that of an upstream router, or your DNS servers.

A lot depends on the rules set up on the firewall. COMMON SENSE suggests that the firewall does not accept _any_ connections from the world. Some people configure the firewall to 'REJECT' (reply with ICMP Type 3, Code 3, 10 or 12) any connections, while others configure the firewall to 'DROP' ("blackhole", "ignore", or "stealth") any connections. This is a "religious" decision, and is not part of this reply.

If you must permit connections from the "outside", a firewall rule should restrict the number of "permitted" outside addresses. Some advocate moving SSH (using any other service to connect to the firewall is totally insane) from the default port (22) to some other unconventional port (a form of "security by obscurity" - but a good defense against st00pid skript kiddiez and 'bots), while others suggest using 'port-knocking' (requiring a connect attempt to an otherwise empty port, followed within time limits by a connection to the "desired" port from the same address). Another technique is to only accept connections from "inside", and if a connection is needed from "outside", then you SSH into the "inside" host, and SSH _from there_ into the firewall. However, don't get to "clever" with your firewall, as you may only block everyone _including_ authorized personnel.

Thus, a "properly" configured firewall is going to be difficult to probe. It will either reject all attempts (possibly allowing you to fingerprint the O/S based on the ICMP errors), or simply _ignore_ all connection attempts (though still locatable by the lack of an ICMP Type 3 Code 1 from the preceding router).

Old guy

Reply to
Moe Trin

I used both nmap and nessus. Both of them could not find out anything.

I am trying hping2, p0f and firewalk now!

Regards,

Reply to
Doug Fox

Hi Moe;

Thanks for your input. I did use -p 1-49151. BTW, I am using nmap v3.8.1, I could not find -D as an option. Kindly advise.

Regards,

Reply to
Doug Fox

Ah, OK. Sorry ;-)

Why don't you want to use nessus, then? Did you have any problems (just being interested)?

Yours, VB.

Reply to
Volker Birk

Second item on page 14 of the man page for that version for me, right AFTER this one

-F Fast scan mode. Specifies that you only wish to scan for ports listed in the services file which comes with nmap

We don't need no skript-kiddiez, which is why I don't show the option, but "it's in there". When you see it, you'll understand.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.