Security Basics mailing list archives
RE: hping2 / ettercap extrange behavior.
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 16 Aug 2006 09:59:06 -0700
It might not be hping2 sending the second packet you see. Ettercap, having hijacked the original packet, will then attempt to retransmit it to its destination -- Ettercap would never be able to sniff real traffic if it prevented the subject traffic from reaching its destination! (This might be easier to see if you were really using multiple hosts instead of vmware virtual hosts.) Dave Gillett
-----Original Message----- From: Francisco Jaen Alegria [mailto:fjaenal () hotmail com] Sent: Monday, August 14, 2006 10:50 AM To: security-basics () securityfocus com Subject: hping2 / ettercap extrange behavior. Hello: I am pretty new to security at this level. I have been doing some experimients with hping2 and ettercap. Let me explain, I have a computer with a Windows 2000 SP4 on it and an ettercap NG 0.73, under this computer I have 2 vmware machines with Linux (Knoppix) on them. I have activate the ettercap so it makes a man in the middle attack against both Linux Computers. Here is the extrange behavior I have found. When I create the following packet with hping2 I sent twice the following packet instead of one (option -c 1): "hping2 -S -t 1 -d 29 -E TST_FIle0001 -c 1 192.168.1.40", this packet has a ttl of 1 hop. The result in the tcpsump is: 11:47:44.547503 IP (tos 0x0, ttl 1, id 28260, offset 0, flags [none], proto: T CP (6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2 (correct ), 1208957741:1208957770(29) win 512 0x0000: 4500 0045 6e64 0000 0106 c7ad c0a8 0129 E..End.........) 0x0010: c0a8 0128 0612 0000 480f 3b2d 0009 d60c ...(....H.;-.... 0x0020: 5002 0200 62f2 0000 5553 4552 3a54 5354 P...b...USER:TST 0x0030: 5f31 3031 0a50 4153 533a 7364 6cf1 666b _101.PASS:sdl.fk 0x0040: 6473 660a 00 dsf.. 11:47:44.565518 IP (tos 0x0, ttl 1, id 28260, offset 0, flags [none], proto: T CP (6), length: 69) 192.168.1.41.1554 > 192.168.1.40.0: S, cksum 0x62f2 (correct ), 1208957741:1208957770(29) win 512 0x0000: 4500 0045 6e64 0000 0106 c7ad c0a8 0129 E..End.........) 0x0010: c0a8 0128 0612 0000 480f 3b2d 0009 d60c ...(....H.;-.... 0x0020: 5002 0200 62f2 0000 5553 4552 3a54 5354 P...b...USER:TST 0x0030: 5f31 3031 0a50 4153 533a 7364 6cf1 666b _101.PASS:sdl.fk 0x0040: 6473 660a 00 dsf.. 11:47:44.586753 IP (tos 0x0, ttl 64, id 31, offset 0, flags [DF], proto: TCP (6 ), length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct), 0: 0(0) ack 1208957771 win 0 0x0000: 4500 0028 001f 4000 4006 b70f c0a8 0128 E..(..@.@......( 0x0010: c0a8 0129 0000 0612 0000 0000 480f 3b4b ...)........H.;K 0x0020: 5014 0000 a2c2 0000 0000 0000 0000 P............. 11:47:44.605655 IP (tos 0x0, ttl 64, id 31, offset 0, flags [DF], proto: TCP (6 ), length: 40) 192.168.1.40.0 > 192.168.1.41.1554: R, cksum 0xa2c2 (correct), 0: 0(0) ack 1 win 0 0x0000: 4500 0028 001f 4000 4006 b70f c0a8 0128 E..(..@.@......( 0x0010: c0a8 0129 0000 0612 0000 0000 480f 3b4b ...)........H.;K 0x0020: 5014 0000 a2c2 0000 0000 0000 0000 P............. In this case I sent 2 Syn Packets and recived 2 RST packets when it should have been only one packet of each. However if disable the man in the middle attack what I get is: one SYN sent and one RST recived as it should be. ¿Anyone has found this extrange behavior before? ¿Why hping2 sends 2 packets when there is a man in the middle computer and only one when there is none? I can't figure out why. PS: I used this list beacuse I am not an expert in security so this maybe something trivial. Francisco Jaén Alegría fjaenal () hotmail com _________________________________________________________________ Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados _correosmasdivertidos -------------------------------------------------------------- ------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- hping2 / ettercap extrange behavior. Francisco Jaen Alegria (Aug 15)
- RE: hping2 / ettercap extrange behavior. David Gillett (Aug 17)