Missing something on 700/1400 (R77.20.8x) ? hping3...

APopisteru · ‎2020-03-30

Please refer to the rationale, the disclaimer and the requirements from my previous post. The objective is to have the powerful network tool hping3 available on the 730-750/1430-1450 boxes (730 tested).

hping3 depends on libpcap, let's build it first. The output will be stored in your homedir:

git clone https://github.com/the-tcpdump-group/libpcap
cd libpcap
git checkout origin/libpcap-1.9
autoreconf -i
./configure --prefix=${HOME}/libpcap-1.9.1 --build x86_64-pc-linux-gnu --host arm-linux-gnueabihf
make install

Check the output:

file ${HOME}/libpcap-1.9.1/lib/libpcap.so.1.9.1 
/home/ps-101-ro/libpcap-1.9.1/lib/libpcap.so.1.9.1: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=bfe088ad0727a0f5198ddcfe4cad407a65e10759, not stripped

Let's build (statically linked) hping3

git clone https://github.com/antirez/hping.git
cd hping
git checkout master

Change Makefile.in to read:

CC=/usr/bin/arm-linux-gnueabihf-gcc
AR=/usr/bin/arm-linux-gnueabihf-ar
RANLIB=/usr/bin/arm-linux-gnueabihf-ranlib
CCOPT= -DBYTE_ORDER_LITTLE_ENDIAN -D__LITTLE_ENDIAN_BITFIELD -I${HOME}/libpcap-1.9.1/include -I${HOME}/libpcap-1.9.1/include/pcap -L${HOME}/libpcap-1.9.1/lib
LD=/usr/bin/arm-linux-gnueabihf-ld
DEBUG= -g

Run:

./configure --prefix=/storage --build x86_64-pc-linux-gnu --host arm-linux-gnueabihf --no-tcl

In libpcap_stuff.c replace

#include <net/bpf.h>

with

#include <pcap/bpf.h>

Run make hping3-static. Check the output:

file hping3-static 
hping3-static: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=bf7d209a3322f2ed2560854270fae398354b8fc5, not stripped

Shrink it:

arm-linux-gnueabihf-strip hping3-static

Upload hping3-static to /storage/ in your box and fire it up (I tried to find the open TCP ports on the two-hops upstream gateway):

./hping3-static -V -n --scan 21-80 -S 203.0.xxx.yyy   
using WAN, addr: 172.17.xxx.yyy, MTU: 1500
Scanning 203.0.xxx.yyy (203.0.xxx.yyy), port 21-80
60 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   53 domain     : ....A...  63  5917 14600    46
   80 www        : ....A...  63  6173 14600    46
All replies received. Done.
Not responding ports: (21 ftp) (22 ssh) (23 telnet) (24 ) (25 smtp) (26 ) (27 ) (28 ) (29 ) (30 ) (31 ) (32 ) (33 ) (34 ) (35 ) (36 ) (37 time) (38 ) (39 rlp) (40 ) (41 ) (42 nameserver) (43 whois) (44 ) (45 ) (46 ) (47 ) (48 ) (49 ) (50 re-mail-ck) (51 ) (52 ) (54 ) (55 ) (56 ) (57 mtp) (58 ) (59 ) (60 ) (61 ) (62 ) (63 ) (64 ) (65 ) (66 ) (67 bootps) (68 bootpc) (69 tftp) (70 gopher) (71 ) (72 ) (73 ) (74 ) (75 ) (76 ) (77 rje) (78 ) (79 finger)

Using hping3 might refresh our memory regarding the order in which protections are applied in a Check Point gateway:

fw unloadlocal & echo 1 >> /proc/sys/net/ipv4/ip_forward
./hping3-static -V -p 80 -S -d 1000 -f 203.0.xxx.yyy &
... there will be no answer...
fw ctl zdebug + drop
... output ommited ...
;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=6 172.17.xxx.yyy:1859 -> 203.0.xxx.yyy:80 dropped by asm_stateless_verifier Reason: received SYN packet with data, packet dropped.;

Stay healthy, stay secured!

Are you a member of CheckMates?

Missing something on 700/1400 (R77.20.8x) ? hping3 on a 730 box