Clan x86
Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on June 03, 2005, 11:55:17 am
-
I debated whether to put this in Software Review or here. I decided that we need more posts on Network Security, so here we are.
Anyway, HopFake can be downloaded here:
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=hopfake
And is used to muck up traceroute's.
Here is a sample configuration file:
ipc@SlackSec:~/downloads$ cat /etc/hopfake/hops-file-example
# This is a hops-file example
# -------------------------------------------
138.147.50.5
140.183.234.10
192.5.18.104
192.5.18.105
192.5.18.106
192.5.18.107
192.5.18.108
198.116.142.1
198.116.142.34
And here is a sample run:
ipc@SlackSec:~/downloads$ sudo hopfake -i eth0 -c /etc/hopfake/hops-file-example
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type port-unreachable -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type echo-reply -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null
And then, when I try traceroute'ing that computer from my laptop:
rbowes:~$ traceroute 10.100.254.210
traceroute to 10.100.254.210 (10.100.254.210), 30 hops max, 38 byte packets
1 spider.ncts.navy.mil (138.147.50.5) 15.164 ms 19.538 ms 59.992 ms
2 www.army.mil (140.183.234.10) 59.983 ms 20.841 ms 39.997 ms
3 darpademo1.darpa.mil (192.5.18.104) 40.161 ms 20.592 ms 39.948 ms
4 iso.darpa.mil (192.5.18.105) 39.027 ms 20.733 ms 40.863 ms
5 ws18-106.darpa.mil (192.5.18.106) 41.023 ms 23.754 ms 41.403 ms
6 dtsn.darpa.mil (192.5.18.107) 40.616 ms 20.243 ms 40.615 ms
7 daml.darpa.mil (192.5.18.108) 39.973 ms 20.342 ms 40.070 ms
8 border.hcn.hq.nasa.gov (198.116.142.1) 39.291 ms 22.079 ms 40.937 ms
9 198.116.142.34 (198.116.142.34) 38.979 ms !H 20.614 ms !H 39.999 ms !H
Note that that's just a default file, you can specify any IPs. It can be a lot of fun :)
-
that..was..awesome
I will definately be playing around with that.
-
Incidentally, you really are pinging the .mil sites, so I'd recommend changing the IPs to something a little less angry :)
-
What is Traceroute, as my Windows computer obviously doesn't have it, according to Mr. Search Wizard.
-
http://en.wikipedia.org/wiki/Traceroute
Yeah you do.
-
It's tracert in Windows, IIRC.
-
Correct. That was explained on the wiki.
-
I figure I'd save him the reading (I didn't read it either).
-
Ah. That'd be why. Thanks Quik/Newby.
-
Why is this useful?
-
Obscurity is a very big and important part of Information Security since attackers can't attack what they don't know exists.
This, if set up properly on your network, can make an attacker believe they are going through a firewall that they aren't, so they might focus effort on breaking into that firewall. You can also make it look like you have routing problems so that it's being routed through an external server, off the network, then back into your network. Then they might focus their concentration in the wrong place. And perhaps that other place is a honeypot, and when they try attacking the wrong system they are already on your radar, and it's game over for them.
If you have HopFake running on many machines with proper fake hops set up, and an attacker is trying to build a map of your network (which is something very handy when trying to attack), they can be totally messed up. Again, it would have to be set with realistic-looking ip's.
That's just a few ways I can think of using it.