RE: How to tweak tools against targets that block ICMP

["Demetris Papapetrou" <dpapapetrou () internalaudit gov cy>]

Hi,

I can think of 4 ways to achieve this.
1) Contact the software developer to make the changes 
2) Disassemble the software yourself and patch it (not recommended)
3) Spoof an ICMP echo reply in order to fool the software
4) Follow the procedure below:

Let target be: www.xyz.test (10.1.1.1) 

Insert the following in your hosts file (Linux /etc/hosts & Windows
c:\windows\system32\drivers\etc\hosts)
127.0.0.1       www.xyz.test

Run a port forwarding tool on your machine.
I usually use connect.exe for port forwarding traffic through an HTTP Proxy
(you probably don't need the proxying functionality)
hxxp://www.taiyo.co.jp/%7Egotoh/ssh/connect.c
hxxp://www.taiyo.co.jp/%7Egotoh/ssh/connect.exe

connect.exe -p 443 -H My_LAN_Proxy_IP:8080 10.1.1.1 443
> Basically this instructs connect.exe to listen to local port 443 for
connections, then connect to the LAN proxy server on port 8080 and from
there to xyz's webserver at 10.1.1.1

Now if you open your web client software or browser and visit the URL
hxxps://www.xyz.test:443/ the software will first try to resolve the IP
address of the target website but will do so by checking the /etc/hosts file
first. It will use 127.0.0.1 as the target's IP and Ping your own machine.
Upon receiving an ICMP echo reply it will then proceed to connect to port
443 on your machine (127.0.0.1). However, the port forwarding tool is
listening on that port for connections and will take over from there.

You will probably ask why not just enter hxxps://127.0.0.1:443/ in your web
client software and you have to edit your /etc/hosts file. This is because
the web client software / browser needs to include the HTTP Host header
(Host: www.xyz.test) in its request so as the web server handling the
traffic will know which virtual website to serve. If the /etc/hosts trick is
not performed then the web client software will ask for Host: 127.0.0.1 and
probably receive an error message in reply. 

Comments:
-------------
1) I downloaded httprecon and ran an analysis on a webserver that does not
reply to Pings. The analysis was performed successfully. This was also
confirmed by Wireshark which did not capture any ICMP requests / replies. I
understand your concern regarding many software out there that send Pings
before they do their job and fail miserably if they don't receive a reply,
because a came across a few of them myself.

2) The connect.exe tool is probably not the exact software what you need
because its main purpose is to do port forwarding via a proxy. However,
there are many different port forwarding tools out there that cover what you
need. Just Google it.

3) You probably need a port forwarding tool that can keep the listening port
persistently open (it does not accept only one connection and then shuts
down). I tried netcat on my Windows PC but failed with a connection error
msg. Perhaps it works better under Linux. SSH can probably do the trick.


Demetris Papapetrou



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------