Author Topic: HopFake  (Read 5220 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
HopFake
« on: June 03, 2005, 11:55:17 am »
I debated whether to put this in Software Review or here.  I decided that we need more posts on Network Security, so here we are.

Anyway, HopFake can be downloaded here:
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=hopfake

And is used to muck up traceroute's.

Here is a sample configuration file:
Quote
ipc@SlackSec:~/downloads$ cat /etc/hopfake/hops-file-example
# This is a hops-file example
# -------------------------------------------

138.147.50.5
140.183.234.10
192.5.18.104
192.5.18.105
192.5.18.106
192.5.18.107
192.5.18.108
198.116.142.1
198.116.142.34

And here is a sample run:
Quote
ipc@SlackSec:~/downloads$ sudo hopfake -i eth0 -c /etc/hopfake/hops-file-example
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type port-unreachable -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null
# /usr/sbin/iptables -I OUTPUT -s 10.100.254.210 -p icmp --icmp-type echo-reply -m ttl --ttl 64 -j DROP > /dev/null 2> /dev/null

And then, when I try traceroute'ing that computer from my laptop:
rbowes:~$ traceroute 10.100.254.210
Quote
traceroute to 10.100.254.210 (10.100.254.210), 30 hops max, 38 byte packets
 1  spider.ncts.navy.mil (138.147.50.5)  15.164 ms  19.538 ms  59.992 ms
 2  www.army.mil (140.183.234.10)  59.983 ms  20.841 ms  39.997 ms
 3  darpademo1.darpa.mil (192.5.18.104)  40.161 ms  20.592 ms  39.948 ms
 4  iso.darpa.mil (192.5.18.105)  39.027 ms  20.733 ms  40.863 ms
 5  ws18-106.darpa.mil (192.5.18.106)  41.023 ms  23.754 ms  41.403 ms
 6  dtsn.darpa.mil (192.5.18.107)  40.616 ms  20.243 ms  40.615 ms
 7  daml.darpa.mil (192.5.18.108)  39.973 ms  20.342 ms  40.070 ms
 8  border.hcn.hq.nasa.gov (198.116.142.1)  39.291 ms  22.079 ms  40.937 ms
 9  198.116.142.34 (198.116.142.34)  38.979 ms !H  20.614 ms !H  39.999 ms !H

Note that that's just a default file, you can specify any IPs.  It can be a lot of fun :)

Offline Mythix

  • The Dude
  • x86
  • Hero Member
  • *****
  • Posts: 1569
  • Victory
    • View Profile
    • Dark-Wire
Re: HopFake
« Reply #1 on: June 03, 2005, 12:22:37 pm »
that..was..awesome

I will definately be playing around with that.
Philosophy, n. A route of many roads leading from nowhere to nothing.

- Ambrose Bierce


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: HopFake
« Reply #2 on: June 03, 2005, 12:26:32 pm »
Incidentally, you really are pinging the .mil sites, so I'd recommend changing the IPs to something a little less angry :)

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: HopFake
« Reply #3 on: June 03, 2005, 06:31:02 pm »
What is Traceroute, as my Windows computer obviously doesn't have it, according to Mr. Search Wizard.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: HopFake
« Reply #4 on: June 03, 2005, 06:41:37 pm »
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: HopFake
« Reply #5 on: June 03, 2005, 06:43:44 pm »
It's tracert in Windows, IIRC.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: HopFake
« Reply #6 on: June 03, 2005, 06:50:05 pm »
Correct. That was explained on the wiki.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: HopFake
« Reply #7 on: June 03, 2005, 07:07:25 pm »
I figure I'd save him the reading (I didn't read it either).
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: HopFake
« Reply #8 on: June 03, 2005, 07:32:34 pm »
Ah. That'd be why. Thanks Quik/Newby.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

trust

  • Guest
Re: HopFake
« Reply #9 on: June 22, 2005, 11:24:49 am »
Why is this useful?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: HopFake
« Reply #10 on: June 26, 2005, 02:46:22 pm »
Obscurity is a very big and important part of Information Security since attackers can't attack what they don't know exists.

This, if set up properly on your network, can make an attacker believe they are going through a firewall that they aren't, so they might focus effort on breaking into that firewall.  You can also make it look like you have routing problems so that it's being routed through an external server, off the network, then back into your network.  Then they might focus their concentration in the wrong place.  And perhaps that other place is a honeypot, and when they try attacking the wrong system they are already on your radar, and it's game over for them.

If you have HopFake running on many machines with proper fake hops set up, and an attacker is trying to build a map of your network (which is something very handy when trying to attack), they can be totally messed up.  Again, it would have to be set with realistic-looking ip's.

That's just a few ways I can think of using it.