This document focuses on explaining how different tools like Hping2, Nemesis can be used to test firewall.
Packet Crafting is a technique of creating or editing IP Packets. These new IP packets have user defined Source/Destination IP address, erroneous TCP flags, sequence numbers etc. It is also possible to change the payload section of an IP packet. Changing the fields of IP Header, TCP/UDP header helps network administrator to check how different devices in path and application will react to the packet. It is possible that an application might crash on receiving erroneous packet. An intruder can get vital information about network while performing foot printing of network by examining if packet is blocked by firewall or the end application sends a RESET flag for invalid TCP connection. Tools used for packet crafting are Hping, Nemesis, Ostinato, Cat Karat Packet Builder, Scapy and Yersinia. Using this network admin can check if correct IDS/IPS signatures are enabled on security device and if correct alarm is generated when attacker fragments the IP packet to bypass the firewall.
Hping is a simple and powerful tool to craft IP packets. It can be used to test out IDS rules, or manually test hosts responses to anomalous traffic. Below are some examples
1.Spoofed IP Address.
hping can be used for simple IP spoofing:
hping2 –A 172.16.1.77 –S –c 1 10.10.10.18
This will send one “SYN” packet to 10.10.10.10 with a spoofed source address of 172.16.1.77
Use hping2 to send anomalous TCP flag combinations:
$ hping2 –SA –c 5 188.8.131.52 –p 6060
This command will send five TCP packets to port 6060 with the “SYN ACK” flags set. This can be used to find if firewall drops this packet or the server sends a “RESET” flag. When a host receives a “SYn ACL” packet for which it does not have a “SYN” in TCP table. This helps an intruder to ascertain firewall rules and to check if a stateful firewall is in place or just stateless filtering is used at perimeter of destination network.
3.Half Opened TCP connections
hping2 –c 1000 –S 184.108.40.206 –p 80
This will send 1000 packets to 220.127.116.11 with SYN Flag set at port 80. Network admin can use this to test the firewall settings for Half-Open connections. An intruder in turn can use this to fill TCP connection table with half-open connections and performing DoS attacks or slow down the performance of the server.
Nemesis is a very powerful suite of packet crafting tools. Nemesis is able to craft packets for the protocols like arp, dns, Ethernet, icmp, igmp, ip, ospf, rip, tcp, udp. Nemesis can be used for a wide range of packet crafting goals, from IDS and firewall testing, to recreating traffic, to scanning for live hosts using a variety of different tools.
1.Invalid DNS Reply
nemesis dns -i 666 -A 7 -r 3 -S 18.104.22.168 -D 10.10.10.16
Here nemesis in DNS mode will send a DNS packet to 10.10.10.16, with a DNS id of 666, 7 Authority records, 3 Additional records, with a source address of 22.214.171.124. This can be used by network admin to check is the DNS inspection firewall like Cisco ASA is working properly. This is very helpful where regular expression have been used for deep packet inspection of DNS protocol.