ICMP

Nmap supports ICMP scanning over both IPv4 and IPv6 to map subnets within larger IP blocks and elicit responses from hosts (depending on configuration). Here are two particularly useful ICMPv4 message types:

Type 8 (echo request)

Used by ping and other utilities to identify accessible hosts.

Type 13 (timestamp request)

Provides the system time information from the target in decimal format.

IANA maintains comprehensive lists of ICMPv4 and ICMPv6 message types.¹ Many useful ICMPv4 types have been deprecated in recent years, including 17 (address mask request) and 37 (domain name request). Within legacy networks these can yield useful information.

root@kali:~# nmap -PEPM -sP –vvv -n 10.12.5.0/24

Starting Nmap 6.49BETA4 (https://nmap.org) at 2015-09-07 18:22 EDT
Initiating Ping Scan at 18:22
Scanning 256 hosts [3 ports/host]
Completed Ping Scan at 18:23, 7.24s elapsed (256 total hosts)
Nmap scan report for 10.12.5.0 [host down, received no-response]
Nmap scan report for 10.12.5.1
Host is up, received echo-reply ttl 128 (0.012s latency).
Nmap scan report for 10.12.5.16
Host is up, received echo-reply ttl 128 (0.023s latency).
Nmap scan report for 10.12.5.17
Host is up, received echo-reply ttl 128 (0.027s latency).
Nmap scan report for 10.12.5.18
Host is up, received echo-reply ttl 128 (0.031s latency).
Nmap scan report for 10.12.5.20
Host is up, received echo-reply ttl 128 (0.039s latency).
Nmap scan report for 10.12.5.21
Host is up, received echo-reply ttl 128 (0.043s latency).
Nmap scan report for 10.12.5.22
Host is up, received echo-reply ttl 128 (0.047s latency).

root@kali:~# ping -b 10.10.5.255
WARNING: pinging broadcast address
PING 10.10.5.255 (10.10.5.255) 56(84) bytes of data.
64 bytes from 10.10.5.79: icmp_seq=1 ttl=64 time=1.01 ms
64 bytes from 10.10.5.10: icmp_seq=1 ttl=64 time=1.79 ms (DUP!)
64 bytes from 10.10.5.13: icmp_seq=1 ttl=64 time=3.67 ms (DUP!)
64 bytes from 10.10.5.11: icmp_seq=1 ttl=64 time=3.67 ms (DUP!)
64 bytes from 10.10.5.12: icmp_seq=1 ttl=64 time=3.67 ms (DUP!)
64 bytes from 10.10.5.99: icmp_seq=1 ttl=64 time=3.67 ms (DUP!)
64 bytes from 10.10.5.14: icmp_seq=1 ttl=64 time=3.67 ms (DUP!)

root@kali:~# ping -b 255.255.255.255
WARNING: pinging broadcast address
PING 255.255.255.255 (255.255.255.255) 56(84) bytes of data.
64 bytes from 10.10.5.79: icmp_seq=1 ttl=64 time=1.28 ms
64 bytes from 10.12.5.251: icmp_seq=1 ttl=63 time=1.28 ms (DUP!)
64 bytes from 10.12.5.239: icmp_seq=1 ttl=63 time=1.28 ms (DUP!)
64 bytes from 10.12.5.240: icmp_seq=1 ttl=63 time=1.28 ms (DUP!)
64 bytes from 10.12.5.201: icmp_seq=1 ttl=63 time=1.28 ms (DUP!)
64 bytes from 10.12.5.248: icmp_seq=1 ttl=63 time=1.84 ms (DUP!)
64 bytes from 10.10.5.10: icmp_seq=1 ttl=64 time=1.85 ms (DUP!)
64 bytes from 10.12.5.242: icmp_seq=1 ttl=63 time=1.85 ms (DUP!)
64 bytes from 10.12.5.235: icmp_seq=1 ttl=63 time=4.73 ms (DUP!)
64 bytes from 10.12.5.246: icmp_seq=1 ttl=63 time=6.02 ms (DUP!)
64 bytes from 10.12.5.244: icmp_seq=1 ttl=63 time=8.19 ms (DUP!)

TCP

Nmap supports many TCP scanning modes, which are particularly useful when performing stealth scans and understanding low-level network configuration. For the purpose of identifying accessible services, the basic TCP SYN (-sS) mode should be used, as demonstrated by Example 6-4.

root@kali:~# nmap -sS 10.10.5.10

Starting Nmap 6.49BETA4 (https://nmap.org) at 2015-09-07 18:45 EDT
Nmap scan report for 10.10.5.10
Not shown: 933 filtered ports, 60 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown

By default, Nmap will perform host discovery and identify accessible hosts to scan.² When testing hardened environments, you should use the -Pn flag to force scanning of each address. A slower timing policy (such as -T2) is also useful because an aggressive policy might trigger SYN flood protection and cause packets to be dropped.

Nmap returns a state (open, closed, or filtered) for each port. Figures 6-2 through 6-5 demonstrate SYN probes eliciting four response variants: a SYN/ACK packet (indicating an open port); RST/ACK (denoting closed); no response; or an ICMP type 3 message (implying a filter).

Figure 6-2. Open port behavior

Figure 6-3. Closed port behavior

Figure 6-4. Filtered port behavior (no response)

Figure 6-5. Filtered port behavior (ICMP response)

IPv4 firewalls and routers often generate ICMP type 3 (destination unreachable) responses, which provide insight into network configuration. Table 6-1 lists common ICMP type 3 message codes.³

UDP

The connectionless nature of UDP means that services are identified either through negative scanning (inferring open ports based on ICMP unreachable responses of those which are closed), or through use of correctly formatted datagrams to elicit a response from a service (e.g., DNS, DHCP, TFTP, and others, as listed in nmap-payloads⁴), known as payload scanning.

ICMP is an unreliable indicator because security-conscious organizations tend to filter messages, and most operating systems rate-limit ICMP responses by default.

Nmap uses a combination of both negative and payload scanning (versus just a single mode) via the -sU flag. This often clouds output, as demonstrated by Example 6-5, in which both open and open|filtered states are returned.

root@kali:~# nmap -Pn -sU -open -F -vvv -n 10.3.0.1

Starting Nmap 6.46 (http://nmap.org) at 2014-10-27 02:37 UTC
Initiating UDP Scan at 02:37
Scanning 10.3.0.1 [100 ports]
Discovered open port 137/udp on 10.3.0.1
Discovered open port 123/udp on 10.3.0.1
Completed UDP Scan at 02:38, 13.25s elapsed (100 total ports)
Nmap scan report for 10.3.0.1
Scanned at 2014-10-27 02:37:49 UTC for 13s
PORT      STATE         SERVICE
7/udp     open|filtered echo
9/udp     open|filtered discard
17/udp    open|filtered qotd
19/udp    open|filtered chargen
49/udp    open|filtered tacacs
53/udp    open|filtered domain
67/udp    open|filtered dhcps
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
80/udp    open|filtered http
88/udp    open|filtered kerberos-sec
111/udp   open|filtered rpcbind
120/udp   open|filtered cfdptkt
123/udp   open          ntp
135/udp   open|filtered msrpc
136/udp   open|filtered profile
137/udp   open          netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   open|filtered netbios-ssn
158/udp   open|filtered pcmail-srv
161/udp   open|filtered snmp

The verbose output shows that ports 123 (NTP) and 137 (the NetBIOS name service) are open based on responses to crafted payloads. The other ports are listed based on unreliable ICMP feedback.

Using the -sUV flag, you can actively probe each UDP port and see which respond. Running Nmap in this fashion is, however, very slow against ambiguous open|filtered ports, and impractical when testing large networks.

Example 6-6 demonstrates using Nmap to scan five UDP ports of a single host, taking 114 seconds to complete. Deeper testing reveals that port 53 is indeed listening.

root@kali:~# nmap -Pn -sUV -open -p53,123,135,137,161 -vvv -n 10.3.0.1

Starting Nmap 6.46 (http://nmap.org) at 2014-10-27 02:53 UTC
NSE: Loaded 29 scripts for scanning.
Initiating UDP Scan at 02:53
Scanning 10.3.0.1 [5 ports]
Discovered open port 123/udp on 10.3.0.1
Discovered open port 137/udp on 10.3.0.1
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.99% done; ETC: 02:53 (0:00:00 remaining)
Completed UDP Scan at 02:53, 9.08s elapsed (5 total ports)
Initiating Service scan at 02:53
Scanning 5 services on 10.3.0.1
Discovered open port 53/udp on 10.3.0.1
Discovered open|filtered port 53/udp on 10.3.0.1 is actually open
Completed Service scan at 02:55, 75.06s elapsed (5 services on 1 host)
NSE: Script scanning 10.3.0.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 02:55
Completed NSE at 02:55, 30.02s elapsed
Nmap scan report for 10.3.0.1
Scanned at 2014-10-27 02:53:40 UTC for 114s
PORT    STATE         SERVICE    VERSION
53/udp  open          domain     dnsmasq 2.50
123/udp open          ntp        NTP v4
135/udp open|filtered msrpc
137/udp open          netbios-ns Samba nmbd (workgroup: UCOPIA)
161/udp open|filtered snmp
Service Info: Host: CONTROLLER

An alternative tool that you can use to perform UDP payload scanning is Unicornscan.⁵ Against the 10.3.0.1 candidate, results are returned almost instantly:

root@kali:~# unicornscan -mU 10.3.0.1
UDP open          domain[   53] from 10.3.0.1  ttl 128
UDP open      netbios-ns[  137] from 10.3.0.1  ttl 128

UDP scanning results vary by tool selection and network conditions. Nmap provides a comprehensive option with -sUV, but testing of a single host using the -F option (scanning 100 ports) can take more than 10 minutes to complete.

SCTP

SCTP sits alongside TCP and UDP, as shown in Figure 6-1. Intended to provide transport of telephony data over IP, the protocol duplicates many of the reliability features of Signaling System 7 (SS7), and underpins a larger protocol family known as SIGTRAN. SCTP is supported by operating systems including IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, and VxWorks.

Packet format

Each SCTP packet contains a header and associated chunks, as demonstrated by Figure 6-6. Source and destination port values are 16-bit (running from 0 to 65,535), and 8-bit chunk type values are listed in Table 6-2. Depending on the type, the chunk value field varies.

Figure 6-6. SCTP packet format

Table 6-2. SCTP chunk types

ID	Value	Description
0	DATA	Payload data
1	INIT	Initiation request
2	INIT ACK	Initiation acknowledgment
3	SACK	Selective acknowledgment
4	HEARTBEAT	Heartbeat request
5	HEARTBEAT ACK	Heartbeat acknowledgment
6	ABORT	Abort request
7	SHUTDOWN	Shutdown request
8	SHUTDOWN ACK	Shutdown acknowledgment
9	ERROR	Operation error
10	COOKIE ECHO	State cookie echo
11	COOKIE ACK	Cookie acknowledgment
12	ECNE	Explicit congestion notification echo
13	CWR	Congestion window reduced
14	SHUTDOWN COMPLETE	Shutdown complete

root@kali:~# nmap -6 -Pn -sY –n -open fe80::217:f2ff:fe0f:5d19

Starting Nmap 6.49BETA4 (https://nmap.org) at 2015-08-27 09:56 EDT
Nmap scan report for fe80::217:f2ff:fe0f:5d19
PORT       STATE SERVICE
2427/sctp  open  mgcp-gateway
2944/sctp  open  megago-h248
2945/sctp  open  h248-binary

Bringing Everything Together

Detailed assessment involves scanning all 65,536 TCP and SCTP ports for each IP address within scope, along with testing of common UDP ports (to save time). I have yet to find a UDP service running on a nonstandard port during testing, and so running a UDP scan with Nmap’s default services list is sufficient.

nmap –T4 –Pn –n –sS –F –oG tcp.gnmap 192.168.0.0/24
nmap –T4 –Pn –n –sY –F –oG sctp.gnmap 192.168.0.0/24
nmap –T4 –Pn –n –sU –p53,69,111,123,137,161,500,514,520 -oG  udp.gnmap 192.168.0.0/24

grep open *.gnmap | awk '{print $2}' | sort | uniq > targets.txt

nmap -6 -T4 -Pn -open -sS -A -oA ipv6_tcp_fast -iL targets.txt
nmap -6 -T4 -Pn -open -sSVC -A –p0-65535 -oA ipv6_tcp_full -iL targets.txt
nmap -6 -T4 -Pn -open -sY –p0-65535 -oA ipv6_sctp -iL targets.txt
nmap -6 -T3 -Pn -open -sU -oA ipv6_udp -iL targets.txt

Crafting Arbitrary Packets

Table 6-4 lists common Hping3 arguments used to craft TCP packets from the command line. The utility also supports raw IP, UDP, and scanning modes. Power users should consider Scapy because it offers increased flexibility.¹¹

-c <number>

-t <hops>

-s <port>

-d <port>

-S

-F

-A

Example 6-8 demonstrates Hping3 used to perform a TCP SYN port scan of common ports. For full details of the modes supported, review the documentation.¹²

root@kali:~# hping3 --scan known -S 192.185.5.1
Scanning 192.185.5.1 (192.185.5.1), port known
337 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   21 ftp        : .S..A... 128  3987  8192    46
   25 smtp       : .S..A... 128  4755  8192    46
   53 domain     : .S..A... 128  6291  8192    46
   80 http       : .S..A... 128  8595  8192    46
  110 pop3       : .S..A... 128 10643  8192    46
  443 https      : .S..A... 128 17299  8192    46
  143 imap2      : .S..A... 128 30867  8192    46
  465 ssmtp      : .S..A... 128 33427  8192    46
  587 submission : .S..A... 128 39315  8192    46
  995 pop3s      : .S..A... 128 45715  8192    46

Hping3 TCP ACK (-A) and FIN (-F) probes used in conjunction with scanning mode can reveal quirks in IP stack implementations. By running a scan with the verbose flag (-V) and reviewing the responses to ACK and FIN probes, you can sometimes see variance in TTL and WINDOW values, indicating open ports. Uriel Maimon first described this behavior in Phrack magazine.¹³

root@kali:~# hping3 -c 3 -S -p 80 10.3.0.1
HPING 10.3.0.1 (eth0 10.3.0.1): S set, 40 headers + 0 data bytes
ip=10.3.0.1 ttl=128 id=18871 sport=80 flags=SA seq=0 win=64240 rtt=3.6 ms
ip=10.3.0.1 ttl=128 id=18872 sport=80 flags=SA seq=1 win=64240 rtt=3.6 ms
ip=10.3.0.1 ttl=128 id=18873 sport=80 flags=SA seq=2 win=64240 rtt=3.6 ms

root@kali:~# hping3 -c 3 -S -p 81 10.3.0.1
HPING 10.3.0.1 (eth0 10.3.0.1): S set, 40 headers + 0 data bytes
ip=10.3.0.1 ttl=128 id=19822 sport=81 flags=RA seq=0 win=64240 rtt=3.9 ms
ip=10.3.0.1 ttl=128 id=19823 sport=81 flags=RA seq=1 win=64240 rtt=1.8 ms
ip=10.3.0.1 ttl=128 id=19824 sport=81 flags=RA seq=2 win=64240 rtt=1.9 ms

root@kali:~# hping3 -c 3 -S -p 23 10.3.0.1
HPING 10.3.0.1 (eth0 10.3.0.1): S set, 40 headers + 0 data bytes
ICMP unreachable type 13 from 192.168.0.254
ICMP unreachable type 13 from 192.168.0.254
ICMP unreachable type 13 from 192.168.0.254

root@kali:~# hping3 -c 3 -S -p 3306 10.3.0.1
HPING 10.3.0.1 (eth0 10.3.0.1): S set, 40 headers + 0 data bytes

TCP/IP Stack Fingerprinting

Operating systems prepare packets using different IP TTL and WINDOW values, as summarized by Table 6-5. The TTL of a packet decreases with each hop, and so this value will decrease during testing, based on your distance from the target host.

IP ID Analysis

Many TCP/IP implementations set incremental IP ID values in outbound packets. You can take advantage of this behavior to identify individual hosts behind firewalls and measure network activity. If the IP ID value of each packet received from a host is incremental, it can also be used as an unwitting third party (known as a zombie) to facilitate stealth port scanning using Nmap.

IP ID sampling with Scapy

Scapy can sample and plot IP ID values. Example 6-9 demonstrates setup (involving installation of python-gnuplot and gnuplot-x11 packages) and use of the utility to sample values from www.yahoo.fr. Figure 6-9 shows the resulting graph, by which we identify individual hosts behind a load balancer. Philippe Biondi and Arnaud Ebalard’s presentation “Scapy and IPv6 networking”¹⁴ describes other useful sampling strategies (see slide 45 onward).

Example 6-9. Configuring gnuplot and running Scapy

root@kali:~# apt-get install python-gnuplot gnuplot-x11
root@kali:~# scapy
Welcome to Scapy (2.2.0)
>>> a,b=sr(IP(dst="www.yahoo.fr")/TCP(sport=[RandShort()]*1000))
Begin emission:
Finished to send 100 packets.
Received 100 packets, got 100 answers, remaining 0 packets
>>> a.plot(lambda(s,r):r.id)

Figure 6-9. IP ID value plot for www.yahoo.fr

root@kali:~# nmap -F -sS -O -open -v -n 10.3.0.1

Starting Nmap 6.46 (http://nmap.org) at 2014-10-27 04:36 UTC
Initiating Ping Scan at 04:36
Scanning 10.3.0.1 [4 ports]
Completed Ping Scan at 04:36, 0.00s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 04:36
Scanning 10.3.0.1 [100 ports]
Discovered open port 80/tcp on 10.3.0.1
Discovered open port 443/tcp on 10.3.0.1
Discovered open port 8081/tcp on 10.3.0.1
Completed SYN Stealth Scan at 04:36, 1.83s elapsed (100 total ports)
Initiating OS detection (try #1) against 10.3.0.1
Nmap scan report for 10.3.0.1
Not shown: 96 filtered ports, 1 closed port
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8081/tcp open  blackice-icecap
Device type: general purpose
Running: Linux 2.4.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3
OS details: DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
Uptime guess: 3.014 days (since Fri Oct 24 04:01:34 2014)
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental

Stealth IP ID scanning with Nmap

Upon identifying suitable zombie candidates returning incremental IP ID values, you can undertake IP ID header scanning via Nmap. The process uses the zombie host as an indicator, as shown in Figure 6-10. One benefit of this scanning mode is that you can map ACLs from a certain perspective (e.g., identifying routers at branch offices that produce sequential IP ID values, and using them as zombies).

Figure 6-10. IP ID header scanning parties

Nmap supports IP ID header scanning via the following option:

-sI <zombie host[:probe port]>

By default, Nmap will send heartbeat packets to TCP port 80 of the zombie host. It is particularly important to use the -Pn flag to suppress probing, so that all packets are sent from the address of the zombie to the target. 

Manipulating TTL to Reverse Engineer ACLs

Nmap identifies filters based on network responses or lack thereof. Deeper assessment is undertaken with Firewalk, which manipulates the TTL field of packets to scan a target from a certain distance (i.e., one hop beyond a given gateway).

Example 6-11 demonstrates Firewalk testing six TCP ports through a specific gateway (gw.test.org) to a destination of www.test.org. The functionality has also been ported to Nmap, via the firewalk NSE script.

$ firewalk -n -S21,22,23,25,53,80 -pTCP gw.test.org www.test.org
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 217.41.132.201 using 217.41.132.161 as a metric.
Ramping Phase:
 1 (TTL  1): expired [192.168.102.254]
 2 (TTL  2): expired [212.38.177.41]
 3 (TTL  3): expired [217.41.132.201]
Binding host reached.
Scan bound at 4 hops.
Scanning Phase:
port  21: A! open (port listen) [217.41.132.161]
port  22: A! open (port not listen) [217.41.132.161]
port  23: A! open (port listen) [217.41.132.161]
port  25: A! open (port not listen) [217.41.132.161]
port  53: A! open (port not listen) [217.41.132.161]
port  80: A! open (port not listen) [217.41.132.161]

Firewalk calculates the distance to the gateway and sends packets destined for the target with a TTL that is one hop beyond. Based on the responses, the tool is able to map the filtering policy of the gateway. For example:

• If an ICMP type 11, code 0 (TTL exceeded in transit) message is received, the packet passed through and a response was later generated.

• If the packet is dropped without comment, it was probably done at the gateway.

• If an ICMP type 3, code 13 (communication administratively prohibited) message is received, a filter such as a router ACL is being used.

If the packet is dropped without comment, this doesn’t necessarily mean that traffic to the target host and port is filtered. Some firewalls know that the packet is due to expire and will send an expired message whether the policy allows the packet or not.

Firewalk works in true IP-routed environments, as opposed to those using network address translation (NAT). Dave Goldsmith and Mike Schiffman’s paper describes the testing approach in detail.¹⁷

Revealing Internal IP Addresses

Misconfigured routers, firewalls, and network devices sometimes respond to network probes using nonpublic source addresses. Example 6-12 demonstrates tcpdump used to identify packets received from private addresses during testing. In this case, the eth2 interface in Kali Linux is addressable from the public Internet.

root@kali:~# tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64

TTL Manipulation

Consider Figure 6-11. The target host is six hops away from the source, and an IDS sensor is deployed between hops three and four. By sending packets with a TTL that expires before the destination, an adversary can insert data into the network flow (from the perspective of the sensor). A second technique is to send material to the destination that is disregarded, but parsed by the sensor (or vice versa)—achieved through fragmentation and segment overlapping. The underlying problem is that the sensor does not have enough context to correctly perform network flow reassembly.

Figure 6-11. An attacker, IDS sensor, and target host

Data Insertion and Scrambling with SniffJoke

Within SniffJoke, data manipulation and insertion attacks are known as hacks and scrambles, which are implemented as plug-ins, as described by the project documentation.²³

Examples of hacks include inserting a fake payload (causing the sensor to parse session data that is not processed by the destination), providing false sequencing information (causing the sensor to lose state and parse erroneous data), and injection of fake signaling information (via insertion of FIN, RST, or SYN packets that are disregarded by the destination, but cause the sensor to believe the session has ended or a new one established).

Packets can be malformed and fragmented in a number of ways—the trick is to adopt an approach where packets are processed by the sensor and disregarded by the destination host, or vice versa. Many of these approaches depend on the IP stack implementation of the sensor and destination host (through identifying a mismatch and abusing it for gain). Scrambling tactics adopted by SniffJoke focus on generating packets that are disregarded by the destination host, as follows:

Setting bad checksums of packets

Sensors in high-throughput environments often do not calculate packet checksums for performance reasons. If this is the case, malicious content is parsed by the sensor but disregarded upon receipt by the destination host.

Use of uncommon IP and TCP options

A sensor might disregard packets with certain flags and options set within IP and TCP headers, whereas the destination host accepts the packet upon receipt.

One important topic that is not highlighted within the SniffJoke documentation is that of packet fragmentation and segment overlapping. Attackers can use these tactics to evade and bypass IDS and IPS mechanisms because fragmented packets might be reassembled differently by the sensor than by the destination host.²⁴

Configuring and Running SniffJoke

If you are able to place a crafted PHP script onto a web server protected by a given IDS or IDP mechanism, you can use sniffjoke-autotest to identify effective evasion techniques and create a series of local configuration files.

The PHP script is as follows, as found on the sniffjoke-autotest GitHub page:²⁵

<?php
  if(isset($_POST['sparedata'])) {
    for($x = 0; $x < strlen($_POST['sparedata']); $x++)
    {
      if( is_numeric($_POST['sparedata'][$x]) )
        continue;
      echo "bad value in $x offset";
      exit;
    }
    echo $_POST['sparedata'];
  }
?>

Upon placing the script on a web server, run sniffjoke-autotest:

root@kali:~# sniffjoke-autotest -l home -d /usr/var/sniffjoke/ -s \
http://www.example.org/test.php -a 192.168.0.10

The utility will create a configuration (known as a location, using the label home in this case) upon sending requests to http://www.example.org/test.php (with an IP of 192.168.0.10). After it is executed, the SniffJoke home directory (/usr/var/sniffjoke/home/ in Kali Linux) will contain a number of configuration files, as listed in Table 6-7.

Edit the configuration files to define the IP addresses and network services within scope for evasion. When you are satisfied with the configuration, run SniffJoke using the particular location label (home in this case):

root@kali:~# sniffjoke --location home

The program runs in the background and updates the default gateway so that all packets are routed through it for manipulation. Once executed, the sniffjokectl utility is used to interact with the service interface, as follows:

Usage: sniffjokectl [OPTIONS] [COMMANDS]
 --address <ip>[:port]  specify administration IP address 
 [default: 127.0.0.1:8844]
 --version        show sniffjoke version
 --timeout        set milliseconds timeout when contacting SniffJoke service [default: 500]
 --help            show this help

when sniffjoke is running, you should send commands with a command line argument:
 start      start sniffjoke hijacking/injection
 stop       pause sniffjoke
 quit       quit sniffjoke
 saveconf   dump configuration file
 stat       get statistics about sniffjoke configuration and network
 info       get statistics about sniffjoke active sessions
 ttlmap     show the mapped hop count for destination
 showport   show the running port-aggressivity configuration
 debug      [0-5] change the log debug level