Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[REVS] Host Fingerprinting and Firewalking With hping

from [SecuriTeam] Network Security [Permanent Link]
Subject: [REVS] Host Fingerprinting and Firewalking With hping
Date: 11 Dec 2005 10:32:37 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Host Fingerprinting and Firewalking With hping
------------------------------------------------------------------------


SUMMARY

The purpose of the paper presented here, is to discuss some techniques 
that can be effectively used in remote host fingerprinting. The paper will 
specially cover the cases where network hosts are behind firewalls.

DETAILS

Introduction:
Remote host fingerprinting is the process of identifying the opened 
service ports and operating system of a machine over the network. This is 
usually achieved by various kinds of active and passive scanning 
techniques, by sending several packets to the remote machine and reviewing 
the responses. The generally available tools including nmap do a fairly 
good job in scanning and guessing the remote operating system. Where a 
host is fire walled these tools do not help much, either producing 
ambiguous or incorrect results. This is especially true for machines which 
are heavily fire walled and only allow very small number of packets to be 
forwarded and replied. In those cases we require another methods to 
correctly determine the state of a remote machine. We will examine some 
alternative methods including RING scan and ICMP scans. The first section 
describes various port scanning techniques while the next section throws 
some light on OS fingerprinting.

Note: In this paper we will explain the techniques with various tools but 
the majority of the work is based on a simple and powerful utility named 
hping. This paper assumes that reader has a basic understanding of remote 
host fingerprinting and Transmission Control Protocol/Internet Protocol 
(TCP/IP). We will review both;
Service port fingerprinting and OS fingerprinting in certain fire walled 
environments and will try to analyze the methods in detail that brings us 
the advantages and disadvantages of some techniques. Familiarity with 
hping and nmap will be useful for understanding the methods.

Port Knocking:
We start with general port scanning techniques with certain tools 
including nmap and hping. We will discuss the common SYN, SYNACK scanning 
first and the behavior of various hosts upon reception of these TCP 
packets. Then we will see how the results may vary with the machines that 
are fire walled with those ones, which are not. Afterwards some advanced 
techniques will be discussed including the FIN scans and UDP scans on 
firewalled hosts.

Hping:
Hping is described as one of the tools that can be effectively used for 
scanning, fingerprinting and firewall testing. Some of its powerful 
features include the ability to send custom crafted packets with several 
protocols and performing remote scanning. This is very handy for examining 
the response of various custom created packets.

Nmap:
Network Mapper (nmap) is a famous network-auditing tool that can be used 
for advanced port scanning and OS detection. It has a powerful set of 
features available including passive scanning and idle scanning, though it 
does not have the ability to send custom packets like hping.

Testing with half open scan (SYN):
The idea of half open scanning (also referred as SYN scanning) is simple. 
Without completing the TCP three way handshake, send an initial SYN packet 
and wait for the response, if the SYN ACK is received it means the remote 
port is opened, otherwise you will receive a packet with RST flag set that 
is an indication of closed port.

The full document can be founs at:  
<http://bsdpakistan.org/downloads/HostFingerprinting.pdf> 
http://bsdpakistan.org/downloads/HostFingerprinting.pdf


ADDITIONAL INFORMATION

The information has been provided by  <mailto:naveedafzal@gmail.com> 
naveed.
The original article can be found at:  
<http://bsdpakistan.org/downloads/HostFingerprinting.pdf> 
http://bsdpakistan.org/downloads/HostFingerprinting.pdf



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [REVS] Host Fingerprinting and Firewalking With hping, SecuriTeam <=
Previous by Date:  [TOOL] AIX pwd Parser, SecuriTeam
Next by Date:  [TOOL] PUT File Uploader, SecuriTeam
Previous by Thread:  [TOOL] AIX pwd Parser, SecuriTeam
Next by Thread:  [TOOL] PUT File Uploader, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]