Monday, 16 June 2014

Tools for creating TCP/IP packets

hping (http://www.hping.org/)

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features

Features include:
    * Firewall testing
    * Advanced port scanning
    * Network testing, using different protocols, TOS, fragmentation
    * Manual path MTU discovery
    * Advanced traceroute, under all the supported protocols
    * Remote OS fingerprinting
    * Remote uptime guessing
    * TCP/IP stacks auditing
    * hping can also be useful to students that are learning TCP/IP

Hping works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows. 

Nemesis (http://nemesis.sourceforge.net/)

Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.

Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.

Features include:
    * ARP/RARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP protocol support
    * Layer 2 or Layer 3 injection
    * Packet payload from file
    * IP and TCP options from file

Scapy (http://www.secdev.org/projects/scapy/)

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. 

It can handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).

Features include:
    * Port Scanning
          o SYN Scan
          o Other TCP Scans
          o UDP Scans
          o IP Scan
    * Host Discovery
          o ARP Ping
          o ICMP Ping
          o TCP Ping
          o UDP Ping
    * OS Fingerprinting
          o ISN
          o nmap_fp
          o p0f
          o queso
    * Sniffer - includes powerful facilities for traffic capture and analysis
    * Wireless - can not only sniff and decode packets but also inject arbitrary packets
    * Traceroute - standard ICMP Traceroute can be emulated
    * Firewall/IDS Testing
          o TCP Timestamp Filtering
          o NAT Detection
          o Firewalking

Yersinia (http://www.yersinia.net)

Yersinia is a framework for performing layer 2 attacks. 

It is designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Features include:
    * Attacks for the following network protocols are supported
          o  Spanning Tree Protocol (STP)
          o Cisco Discovery Protocol (CDP)
          o Dynamic Trunking Protocol (DTP)
          o Dynamic Host Configuration Protocol (DHCP)
          o Hot Standby Router Protocol (HSRP)
          o 802.1q
          o 802.1x
          o Inter-Switch Link Protocol (ISL)
          o VLAN Trunking Protocol (VTP)

SendIP (http://www.earth.li/projectpurple/progs/sendip.html)

SendIP is a command-line tool to send arbitrary IP packets. It has a large number of options to specify the content of every header of a RIP, RIPng, BGP, TCP, UDP, ICMP, or raw IPv4/IPv6 packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too.

packETH (http://packeth.sourceforge.net/)

packETH is a Linux GUI packet generator tool for ethernet. It allows you to create and send any possible packet or sequence of packets on the ethernet. 

Features:
 * you can create and send any ethernet packet. Supported protocols:
      o ethernet II, ethernet 802.3, 802.1q, QinQ
      o ARP, IPv4, user defined network layer payload
      o UDP, TCP, ICMP, IGMP, user defined transport layer payload
      o RTP (payload with options to send sin wave of any frequency for G.711)
 * sending sequence of packets
      o delay between packets, number of packets to send
      o sending with max speed, approaching the teoretical boundary
      o change parameters while sending (change IP & mac address, UDP payload, 2 user defined bytes, etc.)
  * saving configuration to a file and load from it - pcap format supported

Mausezahn (http://www.perihel.at/sec/mz/)

Mausezahn is a fast traffic generator which allows you to send nearly every possible and impossible packet. Mausezahn can be used, for example, as a traffic generator to stress multicast networks, for penetration testing of firewalls and IDS, for simulating DoS attacks on networks, to find bugs in network software or appliances, for reconnaissance attacks using ping sweeps and port scans, or to test network behavior under strange circumstances. Mausezahn gives you full control over the network interface card and allows you to send any byte stream you want (even violating Ethernet rules). 

Mausezahn can be used for example:
    * As traffic generator (e. g. to stress multicast networks)
    * To precisely measure jitter (delay variations) between two hosts (e. g. for VoIP-SLA verification)
    * As didactical tool during a datacom lecture or for lab exercises
    * For penetration testing of firewalls and IDS
    * For DoS attacks on networks (for audit purposes of course)
    * To find bugs in network software or appliances
    * For reconnaissance attacks using ping sweeps and port scans
    * To test network behaviour under strange circumstances (stress test, malformed packets, ...)

...and more. Mausezahn is basically a versatile packet creation tool on the command line with a simple syntax and context help. It could also be used within (bash-) scripts to perform combination of tests. 

What is TTL - "Time To Live"

Have you ever observed the output of ping command … and wonder what’s this “TTL” stand for

Pinging www.google.com [72.14.205.104] with 32 bytes of data:

Reply from 72.14.205.104: bytes=32 time=365ms TTL=242
Reply from 72.14.205.104: bytes=32 time=367ms TTL=242
Reply from 72.14.205.104: bytes=32 time=370ms TTL=242
Reply from 72.14.205.104: bytes=32 time=366ms TTL=242

Each IP packet has a Time to Live (TTL) section that keeps track of the number of network devices the packet has passed through to reach its destination. The server sending the packet sets the initial TTL value, and each network device that the packet passes through then reduces this value by 1. If the TTL value reaches 0, the next network device will discard the packet.

This mechanism helps to ensure that bad routing on the Internet won’t cause packets to aimlessly loop around the network without being removed. TTLs therefore help to reduce the clogging of data circuits with unnecessary traffic.

How To Setup Local YUM Server Repository In RedHat Enterprise Linux 6

 Insert RHEL 6 DVD into the system

# mkdir /rhel6/dvd

# cp -rvfp/media/RHEL6DVD /rhel6/dvd

# cd /rhel6/dvd/Packages

# rpm -ivh createrepo-0.9.8-4.el6.noarch.rpm


Note: If it shows up to install some dependency RPMs then install them first then continue with the above command.

# cd /etc/yum.repos.d

# mv * /tmp 

# vim rhel6.repo
      [RHEL6]
      name=Redhat Enterprise Linux 6 Repository
      baseurl=file:///rhel6
      gpgcheck=0
      enabled=1

# createrepo -v /rhel6/dvd


# yum clean all
  
# yum repolist 


Now you have your local Redhat repo on your system.

Installing Apache And Configuring YUM Client Repository

# yum install httpd* -y

# vim /etc/httpd/conf/httpd.conf
              DocumentRoot /rhel6

              <Directory /rhel6>
                      Options FollowSymLinks
                      AllowOverride None
              </Directory>
 

              <Directory /rhel6>
                      Options Indexes FollowSymLinks
                      AllowOverride None
                      Order allow,deny
                      Allow from all
              </Directory>



              NameVirtualHost 192.168.1.1:80

              <VirtualHost 192.168.1.1:80>
                       ServerAdmin webmaster@dynamite.com
                       DocumentRoot /rhel6
                       ServerName server.dynamite.com
                       ErrorLog logs/server.dynamite.com-error_log                                     

                       CustomLog logs/server.dynamite.com-access_log common
              </VirtualHost>
 

# chkconfig httpd on

# service httpd start

# vim /etc/hosts
        192.168.1.1              server.dynamite.com       server

# getenforce             (If SELinux is in Enforcing mode then type the following command)

chcon -R -t httpd_sys_content_t   /rhel6


Open firefox and confirm the results with 
http://server.dynamite.com/dvd

If it shows the all the RHEL6 DVD content then configuration is perfect.

Setting Up YUM Client Repository :


In the client system 

# vim /etc/hosts
        192.168.1.1              server.dynamite.com       server

# cd/etc/yum.repos.d/ 

# mv * /tmp

# vim client.repo
         [client]
         name=RedHat Enterprise Linux 6 Client Repository
         baseurl=http://server.dynamite.com/dvd
         gpgcheck=0
         enabled=1

# yum clean all

# yum list

Some History Command Hacks

How to display TIMESTAMP in history

# export HISTTIMEFORMAT='%F %T '
# history   (In the output you will find date & time before the command that is executed)

To make this persistent, 
export HISTTIMEFORMAT='%F %T ' >> /etc/profile

How to ignore some commands in history (not let history to record the commands we execute)


# export HISTIGNORE=ignorespace

Type some commands like ls -l, date, time, who, etc., then type fdisk -l with a leading space in the front before pressing enter. (Ex. #   fdisk -l)

# history   (In the output you will find fdisk command is not recorded in history file)

To make this persistent, 
export HISTIGNORE=ignorespace >> /root/.bash_profile


How to ignore duplicate commands in history (not let history to record the duplicate of the commands we execute) (not recommended in production)


# export HISTIGNORE=ignoredups

Type the command cal 5 times continuously then execute history command

# history   (In the output you will find cal command is recorded only once in history file, because we are ignoring the duplicate entries)

To make this persistent, 
export HISTIGNORE=ignoredups >> /root/.bash_profile



How to set limitations for history file size and number of commands to record 

# export HISTSIZE=100        (Only 100 last commands of the current session would be recorded)
# export HISTFILESIZE=2500    (History file size would keep 2500 commands)

# history   (In the output you will find fdisk command is not recorded in history file)

To make this persistent, 
export HISTIGNORE=ignorespace >> /root/.bash_profile

SSH Server Hardening

To Harden the SSH Connections below are the steps, you need to follow :

# vim /etc/ssh/sshd_config
Port 2299    
(Change the standard port number of SSH to your required port number and make sure the firewall is permitted to allow 2299 port here in my example)

Protocol 2   
(Make sure that protocol 2 is only permitted because it is more secure than protocol 1)

ListenAddress 192.168.1.1   
(Here if you have multiple NIC's make sure that on which interface the server will listen to SSH requets)

PermitRootLogin   No      
(Use this setting to block root user to use SSH for logging onto server)

# service sshd restart