I really love ping! It is easy to use and directly reveals whether the network works or not.Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting . At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.
I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!
This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case aUbuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions.
As the name implies, httping sends HTTP requests . Note that the name of the tool has only one “p” in its spelling. The tool is available at GitHub . Some information about it can be seen here . The installation process looks as follows:
sudoapt-get installlibncursesw5-devlibssl-devlibfftw3-devgettext gitclone https://github.com/flok99/httping.git cd httping/ sudomake install
(Note that a simple sudo apt – get install httping delivers a very old version of httping and is not recommended.)
For a basic functionality it only needs the hostname as an option, such as httping blog .webernetz .net . Many more options are available and it also supports HTTPS with SSL/TLS. Examples:
weberjoh@jw-nb12:~$ httpingblog.webernetz.net PINGblog.webernetz.net:80 (blog.webernetz.net): connectedto 22.214.171.124:80 (400 bytes), seq=0 time=381.24 ms connectedto 126.96.36.199:80 (400 bytes), seq=1 time=394.30 ms connectedto 188.8.131.52:80 (400 bytes), seq=2 time=373.54 ms connectedto 184.108.40.206:80 (400 bytes), seq=3 time=370.39 ms connectedto 220.127.116.11:80 (400 bytes), seq=4 time=396.91 ms ^CGotsignal 2 --- blog.webernetz.net pingstatistics --- 5 connects, 5 ok, 0.00% failed, time 6408ms round-tripmin/avg/max = 370.4/383.3/396.9 ms weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ httping -6 https://www.insinuator.net/ AutoenablingSSLdueto https-URL PINGwww.insinuator.net:443 (/): connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=0 time=685.03 ms connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=1 time=712.15 ms connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=2 time=631.81 ms connectedto [2003:60:4010:11b0::12]:443 (279 bytes), seq=3 time=722.95 ms ^CGotsignal 2 --- https://www.insinuator.net/ pingstatistics --- 4 connects, 4 ok, 0.00% failed, time 6228ms round-tripmin/avg/max = 631.8/688.0/723.0 ms weberjoh@jw-nb12:~$
Following is a screenshot from httping with the color mode (-Y) and the –threshold-red and –threshold-yellow parameters (which I really like), as well as two screenshots from Wireshark , one with an http session (note the SYN packets as well as the HEAD request and 200 OK answer) and one with a https session (Client Hello, Application Data, …):
gitclone https://github.com/farrokhi/dnsdiag.git cd dnsdiag/ gitsubmoduleupdate --init
Without any further options it sends a type A query for the hostname to the default DNS server (/etc/resolv.conf). But a few options are possible, such as the DNS server (-s SERVER) or the type of the query (-t TYPE):
weberjoh@jw-nb12:~$ cd dnsdiag/ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py blog.webernetz.net dnsping.py 18.104.22.168: hostname=blog.webernetz.net rdatatype=A 45 bytesfrom 22.214.171.124: seq=0 time=17.682 ms 44 bytesfrom 126.96.36.199: seq=1 time=15.788 ms 45 bytesfrom 188.8.131.52: seq=2 time=31.627 ms 45 bytesfrom 184.108.40.206: seq=3 time=32.032 ms 45 bytesfrom 220.127.116.11: seq=4 time=16.608 ms 45 bytesfrom 18.104.22.168: seq=5 time=15.957 ms 44 bytesfrom 22.214.171.124: seq=6 time=16.467 ms 45 bytesfrom 126.96.36.199: seq=7 time=32.676 ms 45 bytesfrom 188.8.131.52: seq=8 time=16.101 ms 45 bytesfrom 184.108.40.206: seq=9 time=28.697 ms --- 220.127.116.11 dnspingstatistics --- 10 requeststransmitted, 10 responsesreceived, 0% lost min=15.788 ms, avg=22.364 ms, max=32.676 ms, stddev=7.739 ms weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py -s ns1.weberdns.de -t aaaapa.weberdns.de dnsping.py DNS: 2003:51:6012:110::22:53, hostname: pa.weberdns.de, rdatatype: aaaa 48 bytesfrom 2003:51:6012:110::22: seq=0 time=11.289 ms 48 bytesfrom 2003:51:6012:110::22: seq=1 time=2.408 ms 48 bytesfrom 2003:51:6012:110::22: seq=2 time=1.933 ms 48 bytesfrom 2003:51:6012:110::22: seq=3 time=1.881 ms 48 bytesfrom 2003:51:6012:110::22: seq=4 time=1.911 ms 48 bytesfrom 2003:51:6012:110::22: seq=5 time=1.859 ms 48 bytesfrom 2003:51:6012:110::22: seq=6 time=1.889 ms 48 bytesfrom 2003:51:6012:110::22: seq=7 time=1.846 ms 48 bytesfrom 2003:51:6012:110::22: seq=8 time=1.888 ms 48 bytesfrom 2003:51:6012:110::22: seq=9 time=1.867 ms --- 2003:51:6012:110::22 dnspingstatistics --- 10 requeststransmitted, 10 responsesreceived, 0% lost min=1.846 ms, avg=2.877 ms, max=11.289 ms, stddev=2.960 ms weberjoh@jw-nb12:~/dnsdiag$
In Wireshark , it looks like that:
(Note the two other tools out of the DNSDiag kit: dnseval .py and dnstraceroute .py .)
Finally, smtpping sends test mails . It defaults to “unlimited” mails, so be carefully with it and use the -c option! It is available at GitHub , too. Use the following commands to install it:
gitclone https://github.com/halonsecurity/smtpping.git cd smtpping/ cmake . make
A sample run of four test mails is this: . / smtpping – c 4 johannes @ webertest .net , but at least the sender (empty by default) with -S should be used. -d is the debug mode:
weberjoh@jw-nb12:~$ cd smtpping/ weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 4 email@example.com PINGjohannes@webertest.net ([18.104.22.168]:25): 10305 bytes (SMTPDATA) seq=1, connect=1.14 ms, helo=5.46 ms, mailfrom=7.56 ms, rcptto=9.13 ms, datasent=35.17 ms, quit=37.37 ms seq=2, connect=1.52 ms, helo=3.55 ms, mailfrom=5.18 ms, rcptto=8.09 ms, datasent=30.68 ms, quit=35.81 ms seq=3, connect=1.18 ms, helo=2.73 ms, mailfrom=3.86 ms, rcptto=4.92 ms, datasent=24.40 ms, quit=28.19 ms seq=4, connect=1.34 ms, helo=5.34 ms, mailfrom=6.51 ms, rcptto=7.59 ms, datasent=38.38 ms, quit=43.11 ms --- 22.214.171.124 SMTPpingstatistics --- 4 e-mailmessagestransmitted connectmin/avg/max = 1.14/1.29/1.52 ms bannermin/avg/max = 1.97/2.92/4.36 ms helomin/avg/max = 2.73/4.27/5.46 ms mailfrommin/avg/max = 3.86/5.78/7.56 ms rcpttomin/avg/max = 4.92/7.43/9.13 ms datamin/avg/max = 5.66/8.24/9.70 ms datasentmin/avg/max = 24.40/32.16/38.38 ms quitmin/avg/max = 28.19/36.12/43.11 ms weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 1 -S firstname.lastname@example.org -d email@example.com PINGjohannes@webernetz.net ([126.96.36.199]:25): 10253 bytes (SMTPDATA) response 220 mx0.webpack.hosteurope.de ESMTP (mi005.mc1.hosteurope.de) (evenmore power) Wed, 04 May 2016 16:26:05 +0200 response 250 mi005.mc1.hosteurope.de Hellolocalhost.localdomain [188.8.131.52] response 250 OK response 250 Accepted response 354 Entermessage, endingwith "." on a linebyitself response 250 OKid=1axxkb-00048e-GD response 221 mi005.mc1.hosteurope.de closingconnection seq=1, connect=7.65 ms, helo=52.61 ms, mailfrom=62.02 ms, rcptto=77.89 ms, datasent=813.17 ms, quit=821.86 ms --- 184.108.40.206 SMTPpingstatistics --- 1 e-mailmessagestransmitted connectmin/avg/max = 7.65/7.65/7.65 ms bannermin/avg/max = 32.75/32.75/32.75 ms helomin/avg/max = 52.61/52.61/52.61 ms mailfrommin/avg/max = 62.02/62.02/62.02 ms rcpttomin/avg/max = 77.89/77.89/77.89 ms datamin/avg/max = 87.41/87.41/87.41 ms datasentmin/avg/max = 813.17/813.17/813.17 ms quitmin/avg/max = 821.86/821.86/821.86 ms
Here are a few screenshots from Wireshark, Cisco ESA, and Thunderbird with these test mails. Refer to the descriptions beneath the screenshots:
At the End
I am really happy with those tools.They are easy to use and can help monitoring some services while changing network or firewall settings. And they are a good argument for those security admins that still believe, that denying ping is a good security approach. Cheers!