HopFake

[iago]

I debated whether to put this in Software Review or here.  I decided that we need more posts on Network Security, so here we are.

Anyway, HopFake can be downloaded here:
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=hopfake

And is used to muck up traceroute's.

Here is a sample configuration file:

ipc@SlackSec:~/downloads$ cat /etc/hopfake/hops-file-example
# This is a hops-file example
# -------------------------------------------

138.147.50.5
140.183.234.10
192.5.18.104
192.5.18.105
192.5.18.106
192.5.18.107
192.5.18.108
198.116.142.1
198.116.142.34

And here is a sample run:

ipc@SlackSec:~/downloads$ sudo hopfake -i eth0 -c /etc/hopfake/hops-file-example
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type port-unreachable -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type echo-reply -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null

And then, when I try traceroute'ing that computer from my laptop:
rbowes:~$ traceroute 10.100.254.210

traceroute to 10.100.254.210 (10.100.254.210), 30 hops max, 38 byte packets
 1  spider.ncts.navy.mil (138.147.50.5)  15.164 ms  19.538 ms  59.992 ms
 2  www.army.mil (140.183.234.10)  59.983 ms  20.841 ms  39.997 ms
 3  darpademo1.darpa.mil (192.5.18.104)  40.161 ms  20.592 ms  39.948 ms
 4  iso.darpa.mil (192.5.18.105)  39.027 ms  20.733 ms  40.863 ms
 5  ws18-106.darpa.mil (192.5.18.106)  41.023 ms  23.754 ms  41.403 ms
 6  dtsn.darpa.mil (192.5.18.107)  40.616 ms  20.243 ms  40.615 ms
 7  daml.darpa.mil (192.5.18.108)  39.973 ms  20.342 ms  40.070 ms
 8  border.hcn.hq.nasa.gov (198.116.142.1)  39.291 ms  22.079 ms  40.937 ms
 9  198.116.142.34 (198.116.142.34)  38.979 ms !H  20.614 ms !H  39.999 ms !H

Note that that's just a default file, you can specify any IPs.  It can be a lot of fun

[Mythix]

that..was..awesome

I will definately be playing around with that.

[iago]

Incidentally, you really are pinging the .mil sites, so I'd recommend changing the IPs to something a little less angry

[deadly7]

What is Traceroute, as my Windows computer obviously doesn't have it, according to Mr. Search Wizard.

[Quik]

http://en.wikipedia.org/wiki/Traceroute

Yeah you do.

[Newby]

It's tracert in Windows, IIRC.

[Quik]

Correct. That was explained on the wiki.

[Newby]

I figure I'd save him the reading (I didn't read it either).

[deadly7]

Ah. That'd be why. Thanks Quik/Newby.

[trust]

Why is this useful?

[iago]

Obscurity is a very big and important part of Information Security since attackers can't attack what they don't know exists.

This, if set up properly on your network, can make an attacker believe they are going through a firewall that they aren't, so they might focus effort on breaking into that firewall.  You can also make it look like you have routing problems so that it's being routed through an external server, off the network, then back into your network.  Then they might focus their concentration in the wrong place.  And perhaps that other place is a honeypot, and when they try attacking the wrong system they are already on your radar, and it's game over for them.

If you have HopFake running on many machines with proper fake hops set up, and an attacker is trying to build a map of your network (which is something very handy when trying to attack), they can be totally messed up.  Again, it would have to be set with realistic-looking ip's.

That's just a few ways I can think of using it.