News:

Pretty crazy that we're closer to 2030, than we are 2005. Where did the time go!

Main Menu

HopFake

Started by iago, June 03, 2005, 11:55:17 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

iago

I debated whether to put this in Software Review or here.  I decided that we need more posts on Network Security, so here we are.

Anyway, HopFake can be downloaded here:
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=hopfake

And is used to muck up traceroute's.

Here is a sample configuration file:
Quoteipc@SlackSec:~/downloads$ cat /etc/hopfake/hops-file-example
# This is a hops-file example
# -------------------------------------------

138.147.50.5
140.183.234.10
192.5.18.104
192.5.18.105
192.5.18.106
192.5.18.107
192.5.18.108
198.116.142.1
198.116.142.34

And here is a sample run:
Quoteipc@SlackSec:~/downloads$ sudo hopfake -i eth0 -c /etc/hopfake/hops-file-example
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type port-unreachable -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type echo-reply -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null

And then, when I try traceroute'ing that computer from my laptop:
rbowes:~$ traceroute 10.100.254.210
Quotetraceroute to 10.100.254.210 (10.100.254.210), 30 hops max, 38 byte packets
spider.ncts.navy.mil (138.147.50.5)  15.164 ms  19.538 ms  59.992 ms
www.army.mil (140.183.234.10)  59.983 ms  20.841 ms  39.997 ms
darpademo1.darpa.mil (192.5.18.104)  40.161 ms  20.592 ms  39.948 ms
iso.darpa.mil (192.5.18.105)  39.027 ms  20.733 ms  40.863 ms
ws18-106.darpa.mil (192.5.18.106)  41.023 ms  23.754 ms  41.403 ms
dtsn.darpa.mil (192.5.18.107)  40.616 ms  20.243 ms  40.615 ms
daml.darpa.mil (192.5.18.108)  39.973 ms  20.342 ms  40.070 ms
border.hcn.hq.nasa.gov (198.116.142.1)  39.291 ms  22.079 ms  40.937 ms
9  198.116.142.34 (198.116.142.34)  38.979 ms !H  20.614 ms !H  39.999 ms !H

Note that that's just a default file, you can specify any IPs.  It can be a lot of fun :)

Mythix

that..was..awesome

I will definately be playing around with that.
Philosophy, n. A route of many roads leading from nowhere to nothing.

- Ambrose Bierce


iago

Incidentally, you really are pinging the .mil sites, so I'd recommend changing the IPs to something a little less angry :)

deadly7

What is Traceroute, as my Windows computer obviously doesn't have it, according to Mr. Search Wizard.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
[17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Quik

Quote[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Newby

It's tracert in Windows, IIRC.
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Quik

Correct. That was explained on the wiki.
Quote[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Newby

I figure I'd save him the reading (I didn't read it either).
- Newby
http://www.x86labs.org

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote from: Rule on June 30, 2008, 01:13:20 PM
Quote from: CrAz3D on June 30, 2008, 10:38:22 AM
I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

deadly7

Ah. That'd be why. Thanks Quik/Newby.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
[17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

trust

Why is this useful?

iago

Obscurity is a very big and important part of Information Security since attackers can't attack what they don't know exists.

This, if set up properly on your network, can make an attacker believe they are going through a firewall that they aren't, so they might focus effort on breaking into that firewall.  You can also make it look like you have routing problems so that it's being routed through an external server, off the network, then back into your network.  Then they might focus their concentration in the wrong place.  And perhaps that other place is a honeypot, and when they try attacking the wrong system they are already on your radar, and it's game over for them.

If you have HopFake running on many machines with proper fake hops set up, and an attacker is trying to build a map of your network (which is something very handy when trying to attack), they can be totally messed up.  Again, it would have to be set with realistic-looking ip's.

That's just a few ways I can think of using it.