Hello:
I am pretty new to security at this level. I have been doing some
experimients with hping2 and ettercap.
Let me explain, I have a computer with a Windows 2000 SP4 on it and an
ettercap NG 0.73, under this computer I have 2 vmware machines with Linux
(Knoppix) on them. I have activate the ettercap so it makes a man in the
middle attack against both Linux Computers.
Here is the extrange behavior I have found.
When I create the following packet with hping2 I sent twice the following
packet instead of one (option -c 1): "hping2 -S -t 1 -d 29 -E TST_FIle0001
-c 1 192.168.1.40", this packet has a ttl of 1 hop. The result in the
tcpsump is:
11:47:44.547503 IP (tos 0x0, ttl 1, id 28260, offset 0, flags [none],
proto: T CP
(6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2
(correct ),
1208957741:1208957770(29) win 512
0x0000: 4500 0045 6e64 0000 0106 c7ad c0a8 0129 E..End.........)
0x0010: c0a8 0128 0612 0000 480f 3b2d 0009 d60c ...(....H.;-....
0x0020: 5002 0200 62f2 0000 5553 4552 3a54 5354 P...b...USER:TST
0x0030: 5f31 3031 0a50 4153 533a 7364 6cf1 666b _101.PASS:sdl.fk
0x0040: 6473 660a 00 dsf..
11:47:44.565518 IP (tos 0x0, ttl 1, id 28260, offset 0, flags [none],
proto: T CP
(6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2
(correct ),
1208957741:1208957770(29) win 512
0x0000: 4500 0045 6e64 0000 0106 c7ad c0a8 0129 E..End.........)
0x0010: c0a8 0128 0612 0000 480f 3b2d 0009 d60c ...(....H.;-....
0x0020: 5002 0200 62f2 0000 5553 4552 3a54 5354 P...b...USER:TST
0x0030: 5f31 3031 0a50 4153 533a 7364 6cf1 666b _101.PASS:sdl.fk
0x0040: 6473 660a 00 dsf..
11:47:44.586753 IP (tos 0x0, ttl 64, id 31, offset 0, flags [DF], proto:
TCP (6 ),
length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct),
0: 0(0) ack
1208957771 win 0
0x0000: 4500 0028 001f 4000 4006 b70f c0a8 0128 E..(..@.@......(
0x0010: c0a8 0129 0000 0612 0000 0000 480f 3b4b ...)........H.;K
0x0020: 5014 0000 a2c2 0000 0000 0000 0000 P.............
11:47:44.605655 IP (tos 0x0, ttl 64, id 31, offset 0, flags [DF], proto:
TCP (6 ),
length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct),
0: 0(0) ack 1
win 0
0x0000: 4500 0028 001f 4000 4006 b70f c0a8 0128 E..(..@.@......(
0x0010: c0a8 0129 0000 0612 0000 0000 480f 3b4b ...)........H.;K
0x0020: 5014 0000 a2c2 0000 0000 0000 0000 P.............
In this case I sent 2 Syn Packets and recived 2 RST packets when it should
have been only one packet of each.
However if disable the man in the middle attack what I get is: one SYN
sent and one RST recived as it should be.
?Anyone has found this extrange behavior before? ?Why hping2 sends 2
packets when there is a man in the middle computer and only one when there
is none? I can't figure out why.
PS: I used this list beacuse I am not an expert in security so this maybe
something trivial.
Francisco Jain Alegrma
fjaenal@hotmail.com
_________________________________________________________________
Acepta el reto MSN Premium: Correos mas divertidos con fotos y textos
incrembles en MSN Premium. Descargalo y pruibalo 2 meses gratis.
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
