Introduction
In this video tutorial, we went over the techniques needed to bypass firewall rules that block ICMP Ping requests with hping3 tool. We analyzed the packets with Wireshark on security onion.
Skills Learned
- hping3
- ICMP
- Firewall Evasion
- Wireshark
- Security Onion
First, I’ll show you the initial firewall configuration on the Security Onion machine. We’ll be using UFW (Uncomplicated Firewall). Initially, the firewall is set to accept ICMP requests, so a simple ping from our Kali machine will be successful.
Next, I’ll reconfigure the firewall to drop all incoming ICMP packets. This will simulate a real-world scenario where a firewall is blocking our pings. After reloading the firewall, you’ll see that our pings from the Kali machine are no longer receiving a response.
Now, here’s where it gets interesting. Even with ICMP blocked, I’ll show you that Nmap can still sometimes identify open ports and determine if a host is up. However, there might be situations where Nmap is not available or allowed, so we need an alternative.
This is where hping3 comes in. I’ll demonstrate how to use hping3 to send different types of TCP packets to bypass the ICMP block and discover open ports. We’ll explore the following techniques:
- TCP SYN Scan (
-S
): We’ll send TCP SYN packets to specific ports. If a port is open, we’ll receive a SYN-ACK response, confirming that the port is listening. - Acknowledgement Scan (
-A
): We’ll send TCP ACK packets. If a port is open, the target will respond with a reset packet.
To make things even clearer, I’ll use Wireshark to capture and analyze the packets we’re sending and receiving. This will give you a visual representation of how these scans work and how the target responds.
Finally, I’ll show you how to revert the firewall rules back to their original state, allowing ICMP requests once again.
Technical Commands
Here are all the technical commands that I used in the video:
sudo ufw reload
ping 192.168.94.136
sudo nmap -sV 192.168.94.136
sudo nmap -sC 192.168.94.136
sudo nmap -sn 192.168.94.136
hping3 -S 192.168.94.136 -p 443 -c 3
hping3 -S 192.168.94.136 -p 22 -c 3
hping3 -S 192.168.94.136 -p 21 -c 3
hping3 -F -P -U 192.168.94.136 -p 443 -c 2
hping3 -A 192.168.94.136 -p 443 -c 2
sudo wireshark
ip.addr == 192.168.94.133
hping3 -A 192.168.94.136 -c 2