Lab - Packet Crafting to Exploit Unsecured Ports

Topology

Objectives
Part 1: Using hping3 for Port Scanning
Part 2: Crafting Different Types of ICMP Messages
Part 3: Launching DoS Attacks

Background / Scenario
hping3 is a tool used to send custom-crafted TCP/IP packets to a network target in order to elicit a response.
Many values in IP packets and TCP headers can be specified in hping3 and the resulting packets sent out on
the network. Like Nmap, hping3 can use the TCP header flag fields URG, ACK, PSH, RST, SYN, and FIN to
accomplish its scans. It can also craft packets with other protocols such as UDP and ICMP. Unlike Nmap,
however, hping3 can use its ability to craft packets to attack a target. hping3 is included in Kali or can be
downloaded from http://www.hping.org/. Because hping3 can be used for malicious purposes, avoid using it
on production networks unless you have permission to do so.

 2018 - 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports

Required Resources
 Raspberry Pi 3 Model B or later
 8GB Micro SD card (minimum required)
 PC with IoTSec Kali VM
 Network connectivity between PC and Raspberry Pi

Part 1: Using hping3 for Port Scanning

a. Set up the topology by connecting the Raspberry Pi to the PC.
b. Start and log into IoTSec Kali VM.
c. Open a terminal and start the DHCP server on Kali VM.
root@kali:~# lab_support_files/scripts/start_dhcp.sh
d. Verify that the Kali VM is assigned an IP address on eth0.
root@kali:~# ifconfig
e. Determine the IP address of your Raspberry Pi.
f. Open the man page for hping3 in Kali VM and review the features and options that are available in
hping3.
root@kali:~# man hping3
g. In a Kali VM terminal, start Wireshark to monitor what hping3 is doing when we are scanning.
root@kali:~# wireshark
h. In Wireshark, select the eth0 interface in packet capture.
i. You may have captured network traffic that is not relevant to this lab. We are going to restrict the type and
of packets we see by using a display filter.
Apply the following filter in Wireshark using IP address of Kali VM as the source address and IP address
of your Raspberry Pi as the destination address. In this example, 203.0.113.1 is IP address for Kali VM
and 203.0.113.13 is the IP address of your Raspberry Pi.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13
j. We will first craft packets to do a port scan against the IP address of your Raspberry Pi.
root@kali:~# hping3 -8 0-100 -S 203.0.113.13
Refer to the Wireshark capture, the man pages, and other sources on the Internet. What do the options 8,
0-100 and -S do?
____________________________________________________________________________________
____________________________________________________________________________________
What ports are shown as open?
____________________________________________________________________________________
k. Expand your scan to include ports up to 1000.
root@kali:~# hping3 -8 0-1000 -S 203.0.113.13
Did you find any additional ports?
____________________________________________________________________________________

 2018 - 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports

What TCP flag was set in the shown in Wireshark?

____________________________________________________________________________________

Part 2: Crafting Different Types of ICMP Messages

ICMP has different message types that we can use to probe a target. For example, message types 8 - echo
request and 0 - echo reply are used with the TCP/IP tool “ping.” However, if a target is configured not to
respond to these ICMP message types, we can use other ICMP message types to attempt to get a response.
a. Open the man page for ICMP in Kali VM and review the features and options that are available in ICMP.
root@kali:~# man icmp
What is the RFC for ICMP?
____________________________________________________________________________________
b. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
Apply the same display filter as in the previous part.
c. In the terminal, enter the hping3 command followed by -1 to scan in ICMP mode. Add the scan target IP
address, and enter -C followed by 13 to indicate that ICMP type 13 timestamp request messages should
be sent.
root@kali:~# hping3 -1 203.0.113.13 -C 13
d. Review the Wireshark results and confirm that the ICMP timestamp request packets were sent out. To
stop the requests, press Ctrl-C in the Kali VM terminal.
e. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
f. Apply the following filter in Wireshark using IP address of Kali VM as the source address and IP address
of your Raspberry Pi as the destination address.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13
g. Repeat the hping3 command above, but this time send ICMP code 17.
h. Review the Wireshark results. Which ICMP message was sent?
____________________________________________________________________________________

Part 3: Launching DoS Attacks

Hping3 can launch DoS attacks against ports you found previously in this lab. Using hping3 for this purpose is
a good way to test how a network will react to various types of DoS attacks.
a. Start a new Wireshark capture. Click Continue without Saving when you are prompted to save the
capture. To see two-way TCP traffic from between the Kali VM or the Raspberry Pi, enter only tcp as a
display filter.
b. In the Kali VM terminal, enter the hping3 command to send a DoS attack.
root@kali:~# hping3 -S 203.0.113.13 -p 88 --flood
Looking at Wireshark and the hping3 documentation, what type of TCP messages were sent in this DoS
attack? What was the destination TCP port of the attack?
____________________________________________________________________________________
____________________________________________________________________________________

 2018 - 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports

Look at the source ports that hping3 uses to conduct the DoS flood. How does this scan assign source
TCP ports?
____________________________________________________________________________________
____________________________________________________________________________________
c. Press Ctrl-C to stop the flood.
d. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
Display only traffic that has source or destination IP addresses that match the IP address of the
Raspberry Pi. (Hint: Edit the ip.src and ip.dest display filter to both use the IP address of the Raspberry
Pi. Instead of the && operator, use the || (or) operator.
e. In the Kali VM terminal, enter the hping3 command to send a DoS Land Attack. This attack sends a
packet with the same source IP/port combination as the destination IP/port. In other words, the source IP
address is "spoofed" by replacing the Kali VM address another value in the packets.
root@kali:~# hping3 -S 203.0.113.13 -a 203.0.113.13 -k -s 89 -p 89 --flood
Compare this scan with the SYN flood that you just ran. How were source ports used in this scan? What
info does Wireshark report about the packets?
____________________________________________________________________________________
f. Press Ctrl-C to stop the flood.
g. Start a new Wireshark capture. Click Continue without Saving when prompted to save the capture.
Apply the display filter that specifies the Kali VM as the source and the Raspberry Pi as the destination,
as was done previously in this lab.
h. In the Kali VM terminal, enter the hping3 command to send a flood attack.
root@kali:~# hping3 --flood –-icmp -p 22 203.0.113.13
Look at Wireshark what type of ICMP messages are you seeing?
____________________________________________________________________________________
i. Press Ctrl-C to stop the flood.

 2018 - 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 5 www.netacad.com
Lab - Packet Crafting to Exploit Unsecure Ports

j. Complete the following table for the hping3 options that you used in this lab. Use the hping3 man page or
other information resources.

Option Name Description

-8

-S

-1

-C

--flood

-a

-p

-s

-k

 2018 - 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 5 www.netacad.com