hping2 / ettercap extrange behavior.

["Francisco Jaen Alegria" <fjaenal () hotmail com>]

Hello:
  I am pretty new to security at this level. I have been doing some 
experimients with hping2 and ettercap.

  Let me explain, I have a computer with a Windows 2000 SP4 on it and an 
ettercap NG 0.73, under this computer I have 2 vmware machines with Linux 
(Knoppix) on them. I have activate the ettercap so it makes a man in the 
middle attack against both Linux Computers.

  Here is the extrange behavior I have found.
  When I create the following packet with hping2 I sent twice the following 
packet instead of one (option -c 1): "hping2 -S -t 1 -d 29 -E TST_FIle0001 
-c 1 192.168.1.40", this packet has a ttl of 1 hop. The result in the 
tcpsump is:

11:47:44.547503 IP (tos 0x0, ttl   1, id 28260, offset 0, flags [none], 
proto: T                                                              CP 
(6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2 
(correct                                                              ), 
1208957741:1208957770(29) win 512
       0x0000:  4500 0045 6e64 0000 0106 c7ad c0a8 0129  E..End.........)
       0x0010:  c0a8 0128 0612 0000 480f 3b2d 0009 d60c  ...(....H.;-....
       0x0020:  5002 0200 62f2 0000 5553 4552 3a54 5354  P...b...USER:TST
       0x0030:  5f31 3031 0a50 4153 533a 7364 6cf1 666b  _101.PASS:sdl.fk
       0x0040:  6473 660a 00                             dsf..
11:47:44.565518 IP (tos 0x0, ttl   1, id 28260, offset 0, flags [none], 
proto: T                                                              CP 
(6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2 
(correct                                                              ), 
1208957741:1208957770(29) win 512
       0x0000:  4500 0045 6e64 0000 0106 c7ad c0a8 0129  E..End.........)
       0x0010:  c0a8 0128 0612 0000 480f 3b2d 0009 d60c  ...(....H.;-....
       0x0020:  5002 0200 62f2 0000 5553 4552 3a54 5354  P...b...USER:TST
       0x0030:  5f31 3031 0a50 4153 533a 7364 6cf1 666b  _101.PASS:sdl.fk
       0x0040:  6473 660a 00                             dsf..
11:47:44.586753 IP (tos 0x0, ttl  64, id 31, offset 0, flags [DF], proto: 
TCP (6                                                              ), 
length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct), 
0:                                                              0(0) ack 
1208957771 win 0
       0x0000:  4500 0028 001f 4000 4006 b70f c0a8 0128  E..(..@.@......(
       0x0010:  c0a8 0129 0000 0612 0000 0000 480f 3b4b  ...)........H.;K
       0x0020:  5014 0000 a2c2 0000 0000 0000 0000       P.............
11:47:44.605655 IP (tos 0x0, ttl  64, id 31, offset 0, flags [DF], proto: 
TCP (6                                                              ), 
length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct), 
0:                                                              0(0) ack 1 
win 0
       0x0000:  4500 0028 001f 4000 4006 b70f c0a8 0128  E..(..@.@......(
       0x0010:  c0a8 0129 0000 0612 0000 0000 480f 3b4b  ...)........H.;K
       0x0020:  5014 0000 a2c2 0000 0000 0000 0000       P.............

In this case I sent 2 Syn Packets and recived 2 RST packets when it should 
have been only one packet of each.

   However if disable the man in the middle attack what I get is: one SYN 
sent and one RST recived as it should be.


   ¿Anyone has found this extrange behavior before? ¿Why hping2 sends 2 
packets when there is a man in the middle computer and only one when there 
is none? I can't figure out why.

PS: I used this list beacuse I am not an expert in security so this maybe 
something trivial.

Francisco Jaén Alegría
fjaenal () hotmail com

_________________________________________________________________
Acepta el reto MSN Premium: Correos más divertidos con fotos y textos 
increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. 
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------