Penetration Testing mailing list archives
RE: How to tweak tools against targets that block ICMP
From: "Demetris Papapetrou" <dpapapetrou () internalaudit gov cy>
Date: Thu, 22 Jul 2010 12:24:13 +0300
Hi, I can think of 4 ways to achieve this. 1) Contact the software developer to make the changes 2) Disassemble the software yourself and patch it (not recommended) 3) Spoof an ICMP echo reply in order to fool the software 4) Follow the procedure below: Let target be: www.xyz.test (10.1.1.1) Insert the following in your hosts file (Linux /etc/hosts & Windows c:\windows\system32\drivers\etc\hosts) 127.0.0.1 www.xyz.test Run a port forwarding tool on your machine. I usually use connect.exe for port forwarding traffic through an HTTP Proxy (you probably don't need the proxying functionality) hxxp://www.taiyo.co.jp/%7Egotoh/ssh/connect.c hxxp://www.taiyo.co.jp/%7Egotoh/ssh/connect.exe connect.exe -p 443 -H My_LAN_Proxy_IP:8080 10.1.1.1 443
Basically this instructs connect.exe to listen to local port 443 for
connections, then connect to the LAN proxy server on port 8080 and from there to xyz's webserver at 10.1.1.1 Now if you open your web client software or browser and visit the URL hxxps://www.xyz.test:443/ the software will first try to resolve the IP address of the target website but will do so by checking the /etc/hosts file first. It will use 127.0.0.1 as the target's IP and Ping your own machine. Upon receiving an ICMP echo reply it will then proceed to connect to port 443 on your machine (127.0.0.1). However, the port forwarding tool is listening on that port for connections and will take over from there. You will probably ask why not just enter hxxps://127.0.0.1:443/ in your web client software and you have to edit your /etc/hosts file. This is because the web client software / browser needs to include the HTTP Host header (Host: www.xyz.test) in its request so as the web server handling the traffic will know which virtual website to serve. If the /etc/hosts trick is not performed then the web client software will ask for Host: 127.0.0.1 and probably receive an error message in reply. Comments: ------------- 1) I downloaded httprecon and ran an analysis on a webserver that does not reply to Pings. The analysis was performed successfully. This was also confirmed by Wireshark which did not capture any ICMP requests / replies. I understand your concern regarding many software out there that send Pings before they do their job and fail miserably if they don't receive a reply, because a came across a few of them myself. 2) The connect.exe tool is probably not the exact software what you need because its main purpose is to do port forwarding via a proxy. However, there are many different port forwarding tools out there that cover what you need. Just Google it. 3) You probably need a port forwarding tool that can keep the listening port persistently open (it does not accept only one connection and then shuts down). I tried netcat on my Windows PC but failed with a connection error msg. Perhaps it works better under Linux. SSH can probably do the trick. Demetris Papapetrou ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How to tweak tools against targets that block ICMP Jacky Jack (Jul 20)
- Re: How to tweak tools against targets that block ICMP Robert Portvliet (Jul 24)
- RE: How to tweak tools against targets that block ICMP Demetris Papapetrou (Jul 24)
- Re: How to tweak tools against targets that block ICMP Jacky Jack (Jul 24)
- RE: How to tweak tools against targets that block ICMP Demetris Papapetrou (Jul 24)
- RE: How to tweak tools against targets that block ICMP Demetris Papapetrou (Jul 24)
- Re: How to tweak tools against targets that block ICMP Robert Portvliet (Jul 24)