Security Basics mailing list archives
hping2 / ettercap extrange behavior.
From: "Francisco Jaen Alegria" <fjaenal () hotmail com>
Date: Mon, 14 Aug 2006 17:49:35 +0000
Hello:I am pretty new to security at this level. I have been doing some experimients with hping2 and ettercap.
Let me explain, I have a computer with a Windows 2000 SP4 on it and an ettercap NG 0.73, under this computer I have 2 vmware machines with Linux (Knoppix) on them. I have activate the ettercap so it makes a man in the middle attack against both Linux Computers.
Here is the extrange behavior I have found.When I create the following packet with hping2 I sent twice the following packet instead of one (option -c 1): "hping2 -S -t 1 -d 29 -E TST_FIle0001 -c 1 192.168.1.40", this packet has a ttl of 1 hop. The result in the tcpsump is:
11:47:44.547503 IP (tos 0x0, ttl 1, id 28260, offset 0, flags [none], proto: T CP (6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2 (correct ), 1208957741:1208957770(29) win 512
0x0000: 4500 0045 6e64 0000 0106 c7ad c0a8 0129 E..End.........) 0x0010: c0a8 0128 0612 0000 480f 3b2d 0009 d60c ...(....H.;-.... 0x0020: 5002 0200 62f2 0000 5553 4552 3a54 5354 P...b...USER:TST 0x0030: 5f31 3031 0a50 4153 533a 7364 6cf1 666b _101.PASS:sdl.fk 0x0040: 6473 660a 00 dsf..11:47:44.565518 IP (tos 0x0, ttl 1, id 28260, offset 0, flags [none], proto: T CP (6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2 (correct ), 1208957741:1208957770(29) win 512
0x0000: 4500 0045 6e64 0000 0106 c7ad c0a8 0129 E..End.........) 0x0010: c0a8 0128 0612 0000 480f 3b2d 0009 d60c ...(....H.;-.... 0x0020: 5002 0200 62f2 0000 5553 4552 3a54 5354 P...b...USER:TST 0x0030: 5f31 3031 0a50 4153 533a 7364 6cf1 666b _101.PASS:sdl.fk 0x0040: 6473 660a 00 dsf..11:47:44.586753 IP (tos 0x0, ttl 64, id 31, offset 0, flags [DF], proto: TCP (6 ), length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct), 0: 0(0) ack 1208957771 win 0
0x0000: 4500 0028 001f 4000 4006 b70f c0a8 0128 E..(..@.@......( 0x0010: c0a8 0129 0000 0612 0000 0000 480f 3b4b ...)........H.;K 0x0020: 5014 0000 a2c2 0000 0000 0000 0000 P.............11:47:44.605655 IP (tos 0x0, ttl 64, id 31, offset 0, flags [DF], proto: TCP (6 ), length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct), 0: 0(0) ack 1 win 0
0x0000: 4500 0028 001f 4000 4006 b70f c0a8 0128 E..(..@.@......( 0x0010: c0a8 0129 0000 0612 0000 0000 480f 3b4b ...)........H.;K 0x0020: 5014 0000 a2c2 0000 0000 0000 0000 P.............In this case I sent 2 Syn Packets and recived 2 RST packets when it should have been only one packet of each.
However if disable the man in the middle attack what I get is: one SYN sent and one RST recived as it should be.
¿Anyone has found this extrange behavior before? ¿Why hping2 sends 2 packets when there is a man in the middle computer and only one when there is none? I can't figure out why.
PS: I used this list beacuse I am not an expert in security so this maybe something trivial.
Francisco Jaén Alegría fjaenal () hotmail com _________________________________________________________________Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- hping2 / ettercap extrange behavior. Francisco Jaen Alegria (Aug 15)
- RE: hping2 / ettercap extrange behavior. David Gillett (Aug 17)