神刀安全网

Advanced Ping: httping, dnsping, smtpping

I really love ping! It is easy to use and directly reveals whether the network works or not.Refer to  Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting . At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.

I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!

This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case aUbuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions.

httping

As the name implies, httping sends HTTP requests . Note that the name of the tool has only one “p” in its spelling. The tool is available at GitHub . Some information about it can be seen here . The installation process looks as follows:

sudoapt-get installlibncursesw5-devlibssl-devlibfftw3-devgettext gitclone https://github.com/flok99/httping.git cd httping/ sudomake install 

(Note that a simple sudo apt get install httping delivers a very old version of httping and is not recommended.)

For a basic functionality it only needs the hostname as an option, such as httping blog .webernetz .net . Many more options are available and it also supports HTTPS with SSL/TLS. Examples:

weberjoh@jw-nb12:~$ httpingblog.webernetz.net PINGblog.webernetz.net:80 (blog.webernetz.net): connectedto 80.237.133.136:80 (400 bytes), seq=0 time=381.24 ms connectedto 80.237.133.136:80 (400 bytes), seq=1 time=394.30 ms connectedto 80.237.133.136:80 (400 bytes), seq=2 time=373.54 ms connectedto 80.237.133.136:80 (400 bytes), seq=3 time=370.39 ms connectedto 80.237.133.136:80 (400 bytes), seq=4 time=396.91 ms ^CGotsignal 2 --- blog.webernetz.net pingstatistics --- 5 connects, 5 ok, 0.00% failed, time 6408ms round-tripmin/avg/max = 370.4/383.3/396.9 ms weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ httping -6 https://www.insinuator.net/ AutoenablingSSLdueto https-URL PINGwww.insinuator.net:443 (/): connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=0 time=685.03 ms connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=1 time=712.15 ms connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=2 time=631.81 ms connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=3 time=722.95 ms ^CGotsignal 2 --- https://www.insinuator.net/ pingstatistics --- 4 connects, 4 ok, 0.00% failed, time 6228ms round-tripmin/avg/max = 631.8/688.0/723.0 ms weberjoh@jw-nb12:~$ 

Following is a screenshot from httping with the color mode (-Y) and the –threshold-red and –threshold-yellow parameters (which I really like), as well as two screenshots from Wireshark , one with an http session (note the SYN packets as well as the HEAD request and 200 OK answer) and one with a https session (Client Hello, Application Data, …):

Advanced Ping: httping, dnsping, smtpping

httping with color mode.

Advanced Ping: httping, dnsping, smtpping

httping to an http host.

Advanced Ping: httping, dnsping, smtpping

httping to an https host.

dnsping

The dnsping tool out of the DNSDiag toolkit , available on GitHub , sends DNS queries . To install it, use the following commands:

gitclone https://github.com/farrokhi/dnsdiag.git cd dnsdiag/ gitsubmoduleupdate --init 

Without any further options it sends a type A query for the hostname to the default DNS server (/etc/resolv.conf). But a few options are possible, such as the DNS server (-s SERVER) or the type of the query (-t TYPE):

weberjoh@jw-nb12:~$ cd dnsdiag/ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py blog.webernetz.net dnsping.py 8.8.8.8: hostname=blog.webernetz.net rdatatype=A 45 bytesfrom 8.8.8.8: seq=0  time=17.682 ms 44 bytesfrom 8.8.8.8: seq=1  time=15.788 ms 45 bytesfrom 8.8.8.8: seq=2  time=31.627 ms 45 bytesfrom 8.8.8.8: seq=3  time=32.032 ms 45 bytesfrom 8.8.8.8: seq=4  time=16.608 ms 45 bytesfrom 8.8.8.8: seq=5  time=15.957 ms 44 bytesfrom 8.8.8.8: seq=6  time=16.467 ms 45 bytesfrom 8.8.8.8: seq=7  time=32.676 ms 45 bytesfrom 8.8.8.8: seq=8  time=16.101 ms 45 bytesfrom 8.8.8.8: seq=9  time=28.697 ms   --- 8.8.8.8 dnspingstatistics --- 10 requeststransmitted, 10 responsesreceived,  0% lost min=15.788 ms, avg=22.364 ms, max=32.676 ms, stddev=7.739 ms weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py -s ns1.weberdns.de -t aaaapa.weberdns.de dnsping.py DNS: 2003:51:6012:110::22:53, hostname: pa.weberdns.de, rdatatype: aaaa 48 bytesfrom 2003:51:6012:110::22: seq=0  time=11.289 ms 48 bytesfrom 2003:51:6012:110::22: seq=1  time=2.408 ms 48 bytesfrom 2003:51:6012:110::22: seq=2  time=1.933 ms 48 bytesfrom 2003:51:6012:110::22: seq=3  time=1.881 ms 48 bytesfrom 2003:51:6012:110::22: seq=4  time=1.911 ms 48 bytesfrom 2003:51:6012:110::22: seq=5  time=1.859 ms 48 bytesfrom 2003:51:6012:110::22: seq=6  time=1.889 ms 48 bytesfrom 2003:51:6012:110::22: seq=7  time=1.846 ms 48 bytesfrom 2003:51:6012:110::22: seq=8  time=1.888 ms 48 bytesfrom 2003:51:6012:110::22: seq=9  time=1.867 ms   --- 2003:51:6012:110::22 dnspingstatistics --- 10 requeststransmitted, 10 responsesreceived,  0% lost min=1.846 ms, avg=2.877 ms, max=11.289 ms, stddev=2.960 ms   weberjoh@jw-nb12:~/dnsdiag$ 

In Wireshark , it looks like that:

Advanced Ping: httping, dnsping, smtpping

(Note the two other tools out of the DNSDiag kit: dnseval .py and dnstraceroute .py .)

smtpping

Finally, smtpping sends test mails . It defaults to “unlimited” mails, so be carefully with it and use the -c option! It is available at GitHub , too. Use the following commands to install it:

gitclone https://github.com/halonsecurity/smtpping.git cd smtpping/ cmake . make 

A sample run of four test mails is this: . / smtpping c 4 johannes @ webertest .net , but at least the sender (empty by default) with -S should be used. -d is the debug mode:

weberjoh@jw-nb12:~$ cd smtpping/ weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 4 johannes@webertest.net PINGjohannes@webertest.net ([80.154.108.237]:25): 10305 bytes (SMTPDATA) seq=1, connect=1.14 ms, helo=5.46 ms, mailfrom=7.56 ms, rcptto=9.13 ms, datasent=35.17 ms, quit=37.37 ms seq=2, connect=1.52 ms, helo=3.55 ms, mailfrom=5.18 ms, rcptto=8.09 ms, datasent=30.68 ms, quit=35.81 ms seq=3, connect=1.18 ms, helo=2.73 ms, mailfrom=3.86 ms, rcptto=4.92 ms, datasent=24.40 ms, quit=28.19 ms seq=4, connect=1.34 ms, helo=5.34 ms, mailfrom=6.51 ms, rcptto=7.59 ms, datasent=38.38 ms, quit=43.11 ms   --- 80.154.108.237 SMTPpingstatistics --- 4 e-mailmessagestransmitted connectmin/avg/max = 1.14/1.29/1.52 ms bannermin/avg/max = 1.97/2.92/4.36 ms helomin/avg/max = 2.73/4.27/5.46 ms mailfrommin/avg/max = 3.86/5.78/7.56 ms rcpttomin/avg/max = 4.92/7.43/9.13 ms datamin/avg/max = 5.66/8.24/9.70 ms datasentmin/avg/max = 24.40/32.16/38.38 ms quitmin/avg/max = 28.19/36.12/43.11 ms weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 1 -S johannes@webertest.net -d johannes@webernetz.net PINGjohannes@webernetz.net ([80.237.138.5]:25): 10253 bytes (SMTPDATA) response 220 mx0.webpack.hosteurope.de ESMTP (mi005.mc1.hosteurope.de) (evenmore power) Wed, 04 May 2016 16:26:05 +0200 response 250 mi005.mc1.hosteurope.de Hellolocalhost.localdomain [80.154.108.228] response 250 OK response 250 Accepted response 354 Entermessage, endingwith "." on a linebyitself response 250 OKid=1axxkb-00048e-GD response 221 mi005.mc1.hosteurope.de closingconnection seq=1, connect=7.65 ms, helo=52.61 ms, mailfrom=62.02 ms, rcptto=77.89 ms, datasent=813.17 ms, quit=821.86 ms   --- 80.237.138.5 SMTPpingstatistics --- 1 e-mailmessagestransmitted connectmin/avg/max = 7.65/7.65/7.65 ms bannermin/avg/max = 32.75/32.75/32.75 ms helomin/avg/max = 52.61/52.61/52.61 ms mailfrommin/avg/max = 62.02/62.02/62.02 ms rcpttomin/avg/max = 77.89/77.89/77.89 ms datamin/avg/max = 87.41/87.41/87.41 ms datasentmin/avg/max = 813.17/813.17/813.17 ms quitmin/avg/max = 821.86/821.86/821.86 ms 

Here are a few screenshots from Wireshark, Cisco ESA, and Thunderbird with these test mails. Refer to the descriptions beneath the screenshots:

Advanced Ping: httping, dnsping, smtpping

If no sender (-S mail@address.foo) is present, some email gateways will declare the messages as SPAM. Seen at the Cisco ESA appliance.

Advanced Ping: httping, dnsping, smtpping

This is how a test mail looks like in Thunderbird.

Advanced Ping: httping, dnsping, smtpping

Wireshark capture of smtpping: SYN, cleartext mail, FIN.

Advanced Ping: httping, dnsping, smtpping

Wireshark follow TCP stream 1/2.

Advanced Ping: httping, dnsping, smtpping

Wireshark follow TCP stream 2/2.

At the End

I am really happy with those tools.They are easy to use and can help monitoring some services while changing network or firewall settings. And they are a good argument for those security admins that still believe, that denying ping is a good security approach. Cheers!

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Advanced Ping: httping, dnsping, smtpping

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址