공격툴&정보수집 - 04. ICMP 프로토콜 & ICMP Flooding 공격

공격툴&정보수집 - 04. ICMP 프로토콜 & ICMP Flooding 공격

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.

 

 

Ex1) Ping 명령어 및 ICMP 패켓 캡처

 

@ CentOS

 

 - 와이어샤크 실행 및 캡처 실시 (Capture -> Interfaces -> eth0 start 클릭)

 

[root@CentOS /root]# wireshark &

 

 

 - Window2008(192.168.20.201)로 Ping 실시

 

[~]#  ping -c 2 192.168.20.201
PING 192.168.20.201 (192.168.20.201) 56(84) bytes of data.
64 bytes from 192.168.20.201: icmp_seq=1 ttl=128 time=2.42 ms
64 bytes from 192.168.20.201: icmp_seq=2 ttl=128 time=0.379 ms

 

--- 192.168.20.201 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.379/1.401/2.424/1.023 ms

 

 

 - 와이어샤크 캡처 내용 확인 (Filter : icmp)

 

 

 

 

 

@ Window2008

 

 - 와이어샤크 실행 및 캡처 실시 (Capture -> Interfaces -> 로컬 영역 연결 start 클릭)

 

 

 - CentOS(192.168.20.200)으로 Ping 실시

 

C:\Users\Administrator>ping -n 2 192.168.20.200

 

Ping 192.168.20.200 32바이트 데이터 사용:
192.168.20.200의 응답: 바이트=32 시간<1ms TTL=64
192.168.20.200의 응답: 바이트=32 시간=2ms TTL=64

 

192.168.20.200에 대한 Ping 통계:
    패킷: 보냄 = 2, 받음 = 2, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
    최소 = 0ms, 최대 = 2ms, 평균 = 1ms

 

 

 - 와이어샤크 캡처 내용 확인 (Filter : icmp)

 

 

 

 

Ex2) 'tracert' 명령어

 

@ Window2008

 

 - 'www.google.com'으로 traceroute 실시

 

C:\Users\Administrator>tracert www.google.com

 

최대 30홉 이상의
www.google.com [172.217.25.68](으)로 가는 경로 추적:

  1     1 ms    <1 ms    <1 ms  192.168.20.100
  2    <1 ms    <1 ms    <1 ms  192.168.1.254
  3     1 ms     1 ms     1 ms  172.16.0.1
  4     4 ms     2 ms     2 ms  121.160.41.254
  5     2 ms     4 ms     2 ms  211.55.10.209
  6     *        *        *     요청 시간이 만료되었습니다.
  7     7 ms    22 ms    13 ms  112.188.2.137
  8     3 ms     3 ms     3 ms  112.174.58.125
  9     3 ms     2 ms     2 ms  112.174.48.234
 10     3 ms     4 ms     2 ms  112.174.84.50
 11    37 ms    36 ms    37 ms  72.14.194.106
 12    32 ms    31 ms    37 ms  72.14.234.23
 13    32 ms    32 ms    37 ms  108.170.233.77
 14    31 ms    31 ms    31 ms  nrt13s50-in-f4.1e100.net [172.217.25.68]

 

 

 

 - VisualRoute 프로그램을 이용한 Traceroute 실시 ('vrc' 프로그램 설치 이후 실행)

 

 

 

 

 - 와이어샤크 캡처 내용 확인 및 중지 (filter : icmp)

 

 

 

 

 

Ex4) hping3 툴 사용 방법

 

 - hping3는 Ping 테스트가 안되는 시스템쪽으로 Ping 테스트를 할수 있는 툴이다.

 

@ Kali Linux

 

 - 'www.naver.com'으로 ping 테스트 실시

 

root@kali:~# ping -c 2 www.naver.com
PING www.naver.com.nheos.com (202.179.177.22) 56(84) bytes of data.

 

--- www.naver.com.nheos.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms

 

 

 - 와이어샤크 실행 및 캡처 실시 (Capture -> Interfaces -> eth0 선택 -> start 클릭)

 

 

 - 'www.naver.com'으로 hping3 테스트 실시

root@kali:~# hping3 -S www.naver.com -p 80 -c 2
HPING www.naver.com (eth0 202.179.177.21): S set, 40 headers + 0 data bytes
len=46 ip=202.179.177.21 ttl=128 id=60785 sport=80 flags=SA seq=0 win=64240 rtt=6.8 ms
len=46 ip=202.179.177.21 ttl=128 id=60786 sport=80 flags=SA seq=1 win=64240 rtt=18.5 ms

--- www.naver.com hping statistic ---

2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 6.8/12.7/18.5 ms

 

 

 - 와이어샤크 캡처 내용 확인 (filter : ! dns && ! arp && ip.addr == 192.168.20.50)

 

 

 

 

 

Ex5) hping3 테스트 I

 

@ Kali Linux

 

 -S : tcp syn request

 -p : port numer

 -c : packet count

 

root@kali:~# hping3 -S 192.168.20.200 -p 80 -c 5
HPING 192.168.20.200 (eth1 192.168.20.200): S set, 40 headers + 0 data bytes
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=12.3 ms
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=3.6 ms
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=5840 rtt=3.0 ms
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=5840 rtt=3.2 ms
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=5840 rtt=2.0 ms

 

--- 192.168.20.200 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 2.0/4.8/12.3 ms

 

 

 

 

Ex6) hping3 테스트 II

 

@ Kali Linux

 

 -S : tcp syn request

 -p ++50 : 목적지 포트 번호 50번부터 증가시킴 (50,51,52,53,54)

 -c : packet count

 

root@kali:~# hping3 -S 192.168.20.200 -p ++50 -c 5
HPING 192.168.20.200 (eth1 192.168.20.200): S set, 40 headers + 0 data bytes
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=50 flags=RA seq=0 win=0 rtt=3.6 ms
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=51 flags=RA seq=1 win=0 rtt=3.0 ms
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=52 flags=RA seq=2 win=0 rtt=2.4 ms
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=53 flags=SA seq=3 win=5840 rtt=2.0 ms (DNS 서비스 확인 가능)
len=46 ip=192.168.20.200 ttl=64 DF id=0 sport=54 flags=RA seq=4 win=0 rtt=1.5 ms

--- 192.168.20.200 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet lo

 

 

 

 

Ex7) hping3 테스트 III

 

@ Kali Linux

 

 -1 : icmp scan

 --icmp-ts : request time stamp

 -c : packet count

 

root@kali:~# hping3 -1 192.168.20.200 --icmp-ts -c 5
HPING 192.168.20.200 (eth1 192.168.20.200): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.20.200 ttl=64 id=44040 icmp_seq=0 rtt=3.6 ms
ICMP timestamp: Originate=25372981 Receive=57771763 Transmit=57771763
ICMP timestamp RTT tsrtt=4

 

len=46 ip=192.168.20.200 ttl=64 id=44041 icmp_seq=1 rtt=3.5 ms
ICMP timestamp: Originate=25373982 Receive=57772763 Transmit=57772763
ICMP timestamp RTT tsrtt=3

 

len=46 ip=192.168.20.200 ttl=64 id=44042 icmp_seq=2 rtt=3.0 ms
ICMP timestamp: Originate=25374982 Receive=57773763 Transmit=57773763
ICMP timestamp RTT tsrtt=3

 

len=46 ip=192.168.20.200 ttl=64 id=44043 icmp_seq=3 rtt=2.2 ms
ICMP timestamp: Originate=25375983 Receive=57774764 Transmit=57774764
ICMP timestamp RTT tsrtt=2

 

len=46 ip=192.168.20.200 ttl=64 id=44044 icmp_seq=4 rtt=1.4 ms
ICMP timestamp: Originate=25376983 Receive=57775765 Transmit=57775765
ICMP timestamp RTT tsrtt=2

--- 192.168.20.200 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.4/2.7/3.6 ms

 

 

 

 

Ex8) hping3 테스트 IV

 

@ Kali Linux

 

 -8 50-56 : port scan (50,51,52,53,54) 포트 스켄)

 -S : tcp syn request

 

root@kali:~# hping3 -8 50-54 -S 192.168.20.200
Scanning 192.168.20.200 (192.168.20.200), port 50-54
5 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   53 domain     : .S..A...  64     0  5840    46
All replies received. Done.
Not responding ports:

 

 

 

 

Ex9) hping3 테스트 V

 

@ Kali Linux

 

 -2 : udp scan

 -p : port numer

 -c : packet count

 

root@kali:~# hping3 -2 192.168.20.200 -p 80 -c 5
HPING 192.168.20.200 (eth1 192.168.20.200): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.20.200 name=UNKNOWN  
status=0 port=1639 seq=0
ICMP Port Unreachable from ip=192.168.20.200 name=UNKNOWN  
status=0 port=1640 seq=1
ICMP Port Unreachable from ip=192.168.20.200 name=UNKNOWN  
status=0 port=1641 seq=2
ICMP Port Unreachable from ip=192.168.20.200 name=UNKNOWN  
status=0 port=1642 seq=3
ICMP Port Unreachable from ip=192.168.20.200 name=UNKNOWN  
status=0 port=1643 seq=4

 

--- 192.168.20.200 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.5/17.7/69.8 ms

 

 

 

 

Ex10) hping3 테스트 VI

 

@ Kali Linux

 

 -1 : icmp scan

 -a : spoof source address 

 

root@kali:~# hping3 -1 192.168.20.200 -a 192.168.20.204 -c 3
HPING 192.168.20.200 (eth1 192.168.20.200): icmp mode set, 28 headers + 0 data bytes

--- 192.168.20.200 hping statistic ---
3 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 

 

 

 

[참고] hping3 옵션

 

@ Kali Linux

 

root@kali:~# hping3 -h
usage: hping3 host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (uX for X microseconds, for example -i u1000)
      --fast      alias for -i u10000 (10 packets for second)
      --faster    alias for -i u1000 (100 packets for second)
      --flood    sent packets as fast as possible. Don't show replies.
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface name (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
      --beep      beep for every matching packet received
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destionation address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set don't fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum
                   many systems will fix the IP checksum sending the packet
                   so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-mss        enable the TCP MSS option with the given value
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt     Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

공격툴&정보수집 - 제4장 ICMP 프로토콜 & ICMP Flooding 공격   https://youtu.be/Vdf7Su22ONg