Hacking 101
Starting with the humble ping command and moving on to some stealthy network recon activities…
Almost 10 years have passed since the infamous ‘Learn to Hack’ feature got us in trouble with Barnes & Noble, but just in case let’s start with a warning. The word “hacking” has unfortunately been co-opted by the media and entertainment industries, where it’s repeatedly used to denote any and all illegal activities done on a computer. The traditional (and correct!) usage refers to much more honourable pastimes: tinkering, reimagining and making machines behave in a way other than how they were designed to behave.
Wait, that wasn’t a warning. This is though: whatever you learn in this feature, be aware that inappropriate use of computers can land you in a lot of trouble. Some of the tools featured here can do real damage. It’s also simple for a skilled defender to detect their use, trace your IP address and alert the authorities. There are skills and tricks to not getting caught and we’re not going to teach you them. So please keep all your break-in attempts, covert reconnaissance and Bobby’ DROP TABLES-style SQL injections restricted to your own infrastructure. There’s a lot to learn from poking around your home network. Who knows, maybe you’ll discover a misconfiguration or even a vulnerability in your router, or a Raspberry Pi accidentally left exposed to the world.
Let’s start by using Parrot OS to do some network reconnaissance. Specifically, we’re going to try and identify every machine on our network.
Before we avail ourselves of Parrot’s mighty arsenal we’re going to see how far we can get with the humble ping command, which is available on all OSes. ‘Pinging’ involves sending an ICMP packet to a host (or hosts as we’ll see). If the host(s) haven’t been configured to block or ignore these, then it’ll reply with an acknowledgement packet.
It’s not helpful to block ICMP packets since they’re useful for diagnosing network faults. However, if you cast your mind back to 1997 (and were lucky enough to have access to a network back then) you might recollect a popular artefact dubbed the “Ping of Death”. The attack worked by creating an ICMP packet that’s larger than expected (pings are only supposed to be 64 bytes). This is divided into chunks and then sent to the target machine, which receives the chunks, tries to put them back together and then promptly encounters a buffer overflow because innocent TCP/IP stacks of the past allocated only the memory required for a correctly sized response packet. And then didn’t check those bounds before trying to store it, crashing the system.
Beware the ping of death
Ping has been around since 1983, and most OSes have their own implementation of the program. Prior to 1997, pretty much all of them were vulnerable to the ping of death. Windows 95’s version, for example, enabled the user to specify a “load” parameter, which set the size of the packet’s data field. This is supposed to be 56 bytes (the header is an additional eight bytes), but the command would accept arbitrary values. Setting it to around 65,500 was generally enough to cripple a target machine. Since this attack was widely publicised, it didn’t take long for servers and workstations around the
internet to be patched with appropriate malformed packet filters and bounds checks.
Linux’s ping command still permits a size parameter, but if you try a ping of death yourself, for example
$ ping 127.0.0.1 -c4 -s 65500 you’ll see that nary a single packet is returned, and that your machine didn’t die. There’s no real point sanitising the input of the ping program in this case. Remember that it’s the kernel which does the communicating with network hardware, and anyone could write their own ping program to make those kernel calls with whatever parameters they desire. This effort would deter inexperienced script kiddies, but not veteran attackers.
The idea behind the ping of death can be generalised to other IP packets, but the defences have been put in place by now. That didn’t stop the IPv6 ping of death making a brief appearance on Windows in 2013, though.
Capture the broadcast flag
One of the lesser-known ping features is the broadcast flag, and that’s what we’re going to leverage to do the network recon. As we hinted earlier, this enables not just one machine to be pinged, but a whole subnet. Try the following command at home, replacing the first bits of the IP address as appropriate (255 is a ‘reserved octet’ that denotes the broadcast address, in this case everything from 192.168.0.1 to 192.168.0.254):
$ ping -b -c 4 192.168.0.255
Here we send a packet to the broadcast address and then wait for four response packets from each machine. Note that the command gives you a warning that you’re pinging a broadcast address, since users would be mighty confused if they thought a single host was replying from multiple addresses. You should see responses from some of the computers on your network, though many OSes (including most Linux distros) don’t by default respond to this type of broadcast. Identifying which machine is which is tricky at this stage (unless you pull up your router’s configuration page), but at least it gives us an idea of the number of devices on your network. You’ll also see the total roundtrip time, which can be used to diagnose network congestion or routing issues. We’ll talk more about weaponising pings later. For now let’s get back to our network recon.
A more effective (and less visible) way to enumerate the machines on your LAN is to passively ‘sniff’ packets as they flow through your network. And from those packets we can collect source and destination addresses. We’ll use the EtherApe tool to do this, which rather pleasingly draws hosts in an ellipse as they’re discovered in real time, as well as showing the traffic flows between them. You’ll find EtherApe in the Applications menu under the Pentesting>Information Gathering section.
Having got an idea of the number of machines on our network, we could do some deeper observation of packets to see what they’re up to. The Wireshark program is industry standard for this task, and easy to get started with (click Pentesting>Most used tools). Hackers, good and bad, use packet captures (pcaps) obtained from the likes of Wireshark for everything from recon to reverse engineering. Alternatively we can use Nmap, another ubiquitous hacker tool (it even appeared in the second Matrix film), to scan our network and find out what those machines are up to.
ANALYSE YOUR NETWORK “We send a packet to the broadcast address and then wait for four response packets from each machine.”