2018年1月11日 星期四

[研究] hping - TCP/IP 封包產生和分析工具

[研究] hping - TCP/IP 封包產生和分析工具

Hping - Active Network Security Tool
http://www.hping.org/

下載
http://www.hping.org/download.html
  • Unix-Like 最新版 hping3-20051105  
  • 穩定版 (Stable) 目前最新 2.0.0-rc3
  • for Windows版目前最新 hping2 
hping 可以偽造來源 IP 位址發送封包,

*********************************************************************************
Windows 7 with SP1 x64 上安裝

下載




Google 查 wpcap.dll 知道是 WinPcap 的檔案。
網址 :https://www.winpcap.org/






hping2 提供的參數。

C:\Users\John\Desktop\hping2.win32>hping
hping2: missing host argument
Try `hping2 --help' for more information.

C:\Users\John\Desktop\hping2.win32>hping --help
usage: hping host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (mX for X milliseconds, for example -i m10)
      --fast      alias for -i m100 (10 packets for second)
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface IP (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destination address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set dont fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum many systems will fix the IP checksum sending the packet so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt       Don't calculate/show RTT information in traceroute mode ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)

C:\Users\John\Desktop\hping2.win32>


*********************************************************************************
hping2.0.0-rc3 安裝 ( CentOS 7.4 x64)

安裝目前仍失敗,步驟暫時留下參考
[root@localhost ~]# yum  -y  install   gcc libpcap libpcap-devel
[root@localhost ~]# tar  zxvf  http://www.hping.org/hping2.0.0-rc3.tar.gz
[root@localhost ~]# cd  hping2.0.0-rc3
[root@localhost hping2-rc3]# ./configure
build byteorder.c...
create byteorder.h...
--------------------------------------
system type: LINUX

FORCE_LIBPCAP:
LIBPCAP      :
PCAP_INCLUDE :
MANPATH      : /usr/local/man

(to modify try configure --help)
--------------------------------------
creating Makefile...
now you can try `make'

[root@localhost hping2-rc3]# make
gcc -c -O2 -Wall  -g  arsglue.c
In file included from ars.h:18:0,
                 from arsglue.c:5:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
In file included from arsglue.c:5:0:
ars.h:180:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:244:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
make: *** [arsglue.o] Error 1
[root@localhost hping2-rc3]# vi   Makefile


找到

CCOPT= -O2 -Wall                                                                   



改成

CCOPT= -O2 -Wall  -DBYTE_ORDER_LITTLE_ENDIAN     


再來一次

[root@localhost hping2-rc3]# make
gcc -c -O2 -Wall  -DBYTE_ORDER_LITTLE_ENDIAN -g  arsglue.c
In file included from ars.h:18:0,
                 from arsglue.c:5:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
make: *** [arsglue.o] Error 1
[root@localhost hping2-rc3]#



#define BYTE_ORDER_LITTLE_ENDIAN


define BYTE_ORDER_LITTLE_ENDIAN

找到

#define BYTE_ORDER_LITTLE_ENDIAN                                                                   



拿掉第一個 # 註解

define BYTE_ORDER_LITTLE_ENDIAN                                                    




再來一次

[root@localhost hping2-rc3]# make
gcc -c -O2 -Wall  -DBYTE_ORDER_LITTLE_ENDIAN -g  arsglue.c
In file included from ars.h:18:0,
                 from arsglue.c:5:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
make: *** [arsglue.o] Error 1
[root@localhost hping2-rc3]#



暫時放棄了,其實下一版 hping3 都是 2005 年的東西,hping2 更老,安裝有問題,或需要修改很多地方才能安裝,是正常的。
[root@localhost hping2-rc3]# ls -al | more
total 1072
drwxr-xr-x. 5 john john  4096 Jan 11 07:07 .
dr-xr-x---. 7 root root  4096 Jan 10 23:17 ..
-rw-r--r--. 1 john john  6778 Aug 23  2001 antigetopt.c
-rw-r--r--. 1 john john  1022 Aug 22  2001 antigetopt.h
-rw-r--r--. 1 root root 17888 Jan 10 23:18 antigetopt.o
-rw-r--r--. 1 john john 14175 Nov 28  2002 apd.c
-rw-r--r--. 1 john john 25085 Jul 28  2003 ars.c
-rw-r--r--. 1 john john   633 Dec 13  2002 arsglue.c
-rw-r--r--. 1 john john 13360 Jul 28  2003 ars.h
-rw-r--r--. 1 john john  1507 Dec  6  2003 AUTHORS                   
... (略)


*********************************************************************************
hping3-20051105 安裝 ( CentOS 7.4 x64)



[root@localhost ~]# yum  -y  install   gcc libpcap libpcap-devel
[root@localhost ~]# wget   http://www.hping.org/hping3-20051105.tar.gz
[root@localhost ~]# tar  zxvf   http://www.hping.org/hping3-20051105.tar.gz
[root@localhost ~]# cd  hping3-20051105/
[root@localhost hping3-20051105]#  ./configure


結果也是一堆錯誤



[root@localhost hping3-20051105]# ./configure
build byteorder.c...
create byteorder.h...
./configure: line 81: -: command not found
==> WARNING: no Tcl header files found!
--------------------------------------
system type: LINUX

LIBPCAP      : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH      : /usr/local/man
USE_TCL      :
TCL_VER      :
TCL_INC      :
LIBTCL       : -ltcl -lm -lpthread
TCLSH        :

(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
In file included from ars.h:20:0,
                 from apd.c:19:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
In file included from apd.c:19:0:
ars.h:190:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:254:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:323:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
In file included from ars.h:20:0,
                 from ars.c:24:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
In file included from ars.c:24:0:
ars.h:190:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:254:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:323:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
In file included from ars.h:20:0,
                 from arsglue.c:7:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
In file included from arsglue.c:7:0:
ars.h:190:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:254:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:323:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
In file included from ars.h:20:0,
                 from rapd.c:11:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
In file included from rapd.c:11:0:
ars.h:190:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:254:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:323:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
In file included from ars.h:20:0,
                 from split.c:11:
bytesex.h:22:3: error: #error can not find the byte order for this architecture, fix bytesex.h
 # error can not find the byte order for this architecture, fix bytesex.h
   ^
In file included from split.c:11:0:
ars.h:190:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:254:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
ars.h:323:2: error: #error "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
 #error  "Please, edit Makefile and add -DBYTE_ORDER_(BIG|LITTLE)_ENDIAN"
  ^
now you can try `make'
[root@localhost hping3-20051105]#


先用 Windows 版吧。

*********************************************************************************
hping3-20051105 安裝 ( CentOS 7.4 x64),用 EPEL 

https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/h/
找到有 hping3

https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
找到最新版 epel-release-7-11.noarch.rpm

開始安裝

[root@localhost ~]# wget  https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
[root@localhost ~]# rpm  -Uvh  epel-release-7-11.noarch.rpm
[root@localhost ~]# yum  -y  install  hping3 


更簡單安裝法
[root@localhost ~]# yum  -y  install   epel-release                                           
[root@localhost ~]# yum  -y  install  hping3 




安裝成功,hping3 提供的參數
[root@localhost ~]# hping3 -h
usage: hping host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (uX for X microseconds, for example -i u1000)
      --fast      alias for -i u10000 (10 packets for second)
      --faster    alias for -i u1000 (100 packets for second)
      --flood      sent packets as fast as possible. Don't show replies.
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface name (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
      --beep      beep for every matching packet received
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destionation address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set dont fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum
                   many systems will fix the IP checksum sending the packet
                   so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt       Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)
[root@localhost ~]#




[root@localhost ~]# hping3 -S -p 80 -c 3 -n  192.168.1.101
HPING 192.168.1.101 (ens33 192.168.1.101): S set, 40 headers + 0 data bytes

--- 192.168.1.101 hping statistic ---
3 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


[root@localhost ~]#
[root@localhost ~]# hping3 -S -p 80 -c 3 -n  www.hinet.net
HPING www.hinet.net (ens33 210.61.44.225): S set, 40 headers + 0 data bytes
len=46 ip=210.61.44.225 ttl=60 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=10.0 ms
len=46 ip=210.61.44.225 ttl=60 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=10.0 ms
len=46 ip=210.61.44.225 ttl=60 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=14.8 ms

--- www.hinet.net hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 10.0/11.6/14.8 ms
[root@localhost ~]# hping3 -S -p 80 -c 3 -n  1.1.1.1
HPING 1.1.1.1 (ens33 1.1.1.1): S set, 40 headers + 0 data bytes
^C
--- 1.1.1.1 hping statistic ---
2 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@localhost ~]# 

flags=SA 有開 port

*********************************************************************************
試用

最好拿自己的另一台電腦當目標測試 (ex : 192.168.1.100) ,免得被別人當成疑似攻擊行為。

下面範例偽造來源 IP 為 1.2.3.4,目標 192.168.1.100, 每秒送出 10 個封包。
[root@localhost ~]#  hping  192.168.1.100   –i u10000  –S  –a   1.2.3.4


(待續)


沒有留言:

張貼留言