Use the HPING utility on Linux/UNIX to see how hackers can spoof their destination when scanning your systems.
Although the name HPING sounds as though it could be some obscure TCP/IP command, it is actually a hacker tool. HPING is similar to the well-known PING command, except that has a lot more capabilities. HPING can be used to spoof IP packets, discover firewall policies, or even to transfer files across a firewall. Although I don’t condone illegal hacking, I’ve always found it helpful to use utilities like HPING against my own systems so that I can see where my security needs improvements.
You can download the free utility, HPING, here. HPING is a UNIX-based program, so unless you are running CYGWIN, don’t plan on running it under Windows.
For the purposes of this article, I set up a Linux machine running Red Hat Linux 9.0. Initially, I downloaded HPING with no problems, but it didn’t take me long to realize that HPING must be compiled prior to use. Compiling HPING was a fish-out-of-water experience for me since I spend most of my time working on Windows, but I was eventually able to figure it out. For the benefit of others like me, I have described the procedure for compiling HPING below. This procedure assumes that the HPING program was downloaded into a folder called "Hping" and was unzipped to a folder called "hping/hping2-rc2."
Begin by logging in as root and then creating a folder called /usr/local/man/man8. After doing so, right-click on an empty area of the desktop (in a Linux GUI) and select the New Terminal command from the shortcut menu. When the terminal screen opens, enter these commands.
These commands will compile the HPING utility. The executable program that you produce will be placed in the /sbin folder.
One of the most common tasks that hackers have to perform is a port scan. The basic idea behind a port scan is testing to see if a particular port is open so that the open port can be exploited. There are a number of port scanning utilities available for free download on the Internet. However, downloading such a utility and scanning remote ports with it is an extremely bad idea since port scans are easily detectable and can be traced back to you.
If you are interested in scanning ports without getting caught, HPING allows you to perform a “stealth” port scan. The basic idea is that you can take control of a vulnerable host and then use that host to do your dirty work. The host that you are attacking will trace the port scan back to the machine that’s under your control.
So how in the world can an innocent PING utility pull off this type of stunt? It’s possible because HPING doesn’t send ICMP packets like a normal PING utility does. Instead, HPING sends TCP packets containing some special flags. After these packets are sent, HPING listens to the response and uses the response to determine whether or not the port is open. In some cases, the response can even be used to determine what operating system the remote host is running.
So let’s take a look at how you would use HPING to control an unsuspecting host and run a port scan against another host. For this procedure, I will be using the term HOST A to refer to your machine. Host B will be the machine that you will be launching the port scan from, and Host C will be the machine that you are trying to scan.
The first step in this procedure is to find a suitable Host B. Not just any machine will make a suitable Host B because Host B has to be a zero traffic host. Most of the time this means finding a Web site that no one ever goes to or a server that’s sitting idle somewhere. This is easier than it sounds because many Web sites are idle at night, especially personal Web sites. We’ve all seen personal Web sites that simply host a bunch of pictures of the site owner’s kids. Such sites get very little traffic and make excellent Host B candidates for hackers. For this test, it's best if you use one of your own hosts.
So how do you verify that Host B really is a zero traffic host? To do so, you will have to run HPING against the potential Host B. When you do, you will want to use the –r switch (use the lowercase "r"). This will relativize the ID field, which allows you to estimate the host’s traffic. The output will look something like this.
As you look at the output shown above, you will notice that the sequence number increases by one on each line. This means that you are the only one who is using the host. In this case, the remote machine really is a zero traffic machine and makes a perfect Host B. Notice that Host B’s IP address is 220.127.116.11. This is the IP address that we will be spoofing for our port scan against Host C.
Now that we have a suitable Host B, the trick is to send a SYN packet to Host C, but to spoof Host B’s IP address in the process. This isn’t as hard as it sounds. HPING allows you to use the –a switch (this is a lowercase a) followed by the address that you want to spoof. Prior to sending this packet though, you need to open up a second terminal window and run a continuous HPING against port B while using the –r switch.
What happens is a little complicated, so I will try to break it down:
- Host A sends a SYN packet to Host C over a specific port (designated with the –p switch) while spoofing Host B’s IP address.
- If the port is open, Host C will send a SYN packet to Host B.
- Host C will also send an ACK packet to Host B.
- Host B sends an RST packet to Host C. This packet is sent because Host B realizes that it did not initiate the conversation and the RST packet tells Host C that Host B wants to end the conversation.
- At the time when Host B sends the RST packet to Host C, the ID= portion of the HPING reply string will change from the standard +1 to something bigger than 1 (usually +2 or +3). If you see this change, then it means that the port is open. You can see an example here.
Suppose that the port on Host C isn’t open though. If that’s the case then Host C will not send a reply and therefore the ID= portion of the reply string will never change.
As you can see, HPING is a very handy tool for hackers. Spoofed port scans are only the beginning of what this utility can be used for. You can start using it to try to scan your hosts to see if they are vulnerable and if they can be used to scan and attack other systems.