Quantcast
Channel: Johannes Weber – Weberblog.net
Viewing all articles
Browse latest Browse all 311

Advanced Ping: httping, dnsping, smtpping

$
0
0
Pings featured image

I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.

I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!

This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case a Ubuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions.

httping

As the name implies, httping sends HTTP requests. Note that the name of the tool has only one “p” in its spelling. The tool is available at GitHub. Some information about it can be seen here. The installation process looks as follows:

sudo apt-get install libncursesw5-dev libssl-dev libfftw3-dev gettext
git clone https://github.com/flok99/httping.git
cd httping/
sudo make install

(Note that a simple

sudo apt-get install httping
  delivers a very old version of httping and is not recommended.)

For a basic functionality it only needs the hostname as an option, such as

httping blog.webernetz.net
. Many more options are available and it also supports HTTPS with SSL/TLS. Examples:
weberjoh@jw-nb12:~$ httping blog.webernetz.net
PING blog.webernetz.net:80 (blog.webernetz.net):
connected to 80.237.133.136:80 (400 bytes), seq=0 time=381.24 ms
connected to 80.237.133.136:80 (400 bytes), seq=1 time=394.30 ms
connected to 80.237.133.136:80 (400 bytes), seq=2 time=373.54 ms
connected to 80.237.133.136:80 (400 bytes), seq=3 time=370.39 ms
connected to 80.237.133.136:80 (400 bytes), seq=4 time=396.91 ms
^CGot signal 2
--- blog.webernetz.net ping statistics ---
5 connects, 5 ok, 0.00% failed, time 6408ms
round-trip min/avg/max = 370.4/383.3/396.9 ms
weberjoh@jw-nb12:~$
weberjoh@jw-nb12:~$
weberjoh@jw-nb12:~$
weberjoh@jw-nb12:~$ httping -6 https://www.insinuator.net/
Auto enabling SSL due to https-URL
PING www.insinuator.net:443 (/):
connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=0 time=685.03 ms
connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=1 time=712.15 ms
connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=2 time=631.81 ms
connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=3 time=722.95 ms
^CGot signal 2
--- https://www.insinuator.net/ ping statistics ---
4 connects, 4 ok, 0.00% failed, time 6228ms
round-trip min/avg/max = 631.8/688.0/723.0 ms
weberjoh@jw-nb12:~$

Following is a screenshot from httping with the color mode (-Y) and the –threshold-red and –threshold-yellow parameters (which I really like), as well as two screenshots from Wireshark, one with an http session (note the SYN packets as well as the HEAD request and 200 OK answer) and one with a https session (Client Hello, Application Data, …):

httping with color mode. httping to an http host. httping to an https host.

dnsping

The dnsping tool out of the DNSDiag toolkit, available on GitHub, sends DNS queries. To install it, use the following commands:

git clone https://github.com/farrokhi/dnsdiag.git
cd dnsdiag/
git submodule update --init

Without any further options it sends a type A query for the hostname to the default DNS server (/etc/resolv.conf). But a few options are possible, such as the DNS server (-s SERVER) or the type of the query (-t TYPE):

weberjoh@jw-nb12:~$ cd dnsdiag/
weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py blog.webernetz.net
dnsping.py 8.8.8.8: hostname=blog.webernetz.net rdatatype=A
45 bytes from 8.8.8.8: seq=0   time=17.682 ms
44 bytes from 8.8.8.8: seq=1   time=15.788 ms
45 bytes from 8.8.8.8: seq=2   time=31.627 ms
45 bytes from 8.8.8.8: seq=3   time=32.032 ms
45 bytes from 8.8.8.8: seq=4   time=16.608 ms
45 bytes from 8.8.8.8: seq=5   time=15.957 ms
44 bytes from 8.8.8.8: seq=6   time=16.467 ms
45 bytes from 8.8.8.8: seq=7   time=32.676 ms
45 bytes from 8.8.8.8: seq=8   time=16.101 ms
45 bytes from 8.8.8.8: seq=9   time=28.697 ms

--- 8.8.8.8 dnsping statistics ---
10 requests transmitted, 10 responses received,   0% lost
min=15.788 ms, avg=22.364 ms, max=32.676 ms, stddev=7.739 ms
weberjoh@jw-nb12:~/dnsdiag$
weberjoh@jw-nb12:~/dnsdiag$
weberjoh@jw-nb12:~/dnsdiag$
weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py -s ns1.weberdns.de -t aaaa pa.weberdns.de
dnsping.py DNS: 2003:51:6012:110::22:53, hostname: pa.weberdns.de, rdatatype: aaaa
48 bytes from 2003:51:6012:110::22: seq=0   time=11.289 ms
48 bytes from 2003:51:6012:110::22: seq=1   time=2.408 ms
48 bytes from 2003:51:6012:110::22: seq=2   time=1.933 ms
48 bytes from 2003:51:6012:110::22: seq=3   time=1.881 ms
48 bytes from 2003:51:6012:110::22: seq=4   time=1.911 ms
48 bytes from 2003:51:6012:110::22: seq=5   time=1.859 ms
48 bytes from 2003:51:6012:110::22: seq=6   time=1.889 ms
48 bytes from 2003:51:6012:110::22: seq=7   time=1.846 ms
48 bytes from 2003:51:6012:110::22: seq=8   time=1.888 ms
48 bytes from 2003:51:6012:110::22: seq=9   time=1.867 ms

--- 2003:51:6012:110::22 dnsping statistics ---
10 requests transmitted, 10 responses received,   0% lost
min=1.846 ms, avg=2.877 ms, max=11.289 ms, stddev=2.960 ms

weberjoh@jw-nb12:~/dnsdiag$

In Wireshark, it looks like that:

dnsping Wireshark

(Note the two other tools out of the DNSDiag kit: 

dnseval.py
  and
dnstraceroute.py
 .)

smtpping

Finally, smtpping sends test mails. It defaults to “unlimited” mails, so be carefully with it and use the -c option! It is available at GitHub, too. Use the following commands to install it:

git clone https://github.com/halonsecurity/smtpping.git
cd smtpping/
cmake .
make

A sample run of four test mails is this:

./smtpping -c 4 johannes@webertest.net
, but at least the sender (empty by default) with -S should be used. -d is the debug mode:
weberjoh@jw-nb12:~$ cd smtpping/
weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 4 johannes@webertest.net
PING johannes@webertest.net ([80.154.108.237]:25): 10305 bytes (SMTP DATA)
seq=1, connect=1.14 ms, helo=5.46 ms, mailfrom=7.56 ms, rcptto=9.13 ms, datasent=35.17 ms, quit=37.37 ms
seq=2, connect=1.52 ms, helo=3.55 ms, mailfrom=5.18 ms, rcptto=8.09 ms, datasent=30.68 ms, quit=35.81 ms
seq=3, connect=1.18 ms, helo=2.73 ms, mailfrom=3.86 ms, rcptto=4.92 ms, datasent=24.40 ms, quit=28.19 ms
seq=4, connect=1.34 ms, helo=5.34 ms, mailfrom=6.51 ms, rcptto=7.59 ms, datasent=38.38 ms, quit=43.11 ms

--- 80.154.108.237 SMTP ping statistics ---
4 e-mail messages transmitted
connect min/avg/max = 1.14/1.29/1.52 ms
banner min/avg/max = 1.97/2.92/4.36 ms
helo min/avg/max = 2.73/4.27/5.46 ms
mailfrom min/avg/max = 3.86/5.78/7.56 ms
rcptto min/avg/max = 4.92/7.43/9.13 ms
data min/avg/max = 5.66/8.24/9.70 ms
datasent min/avg/max = 24.40/32.16/38.38 ms
quit min/avg/max = 28.19/36.12/43.11 ms
weberjoh@jw-nb12:~/smtpping$
weberjoh@jw-nb12:~/smtpping$
weberjoh@jw-nb12:~/smtpping$
weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 1 -S johannes@webertest.net -d johannes@webernetz.net
PING johannes@webernetz.net ([80.237.138.5]:25): 10253 bytes (SMTP DATA)
response 220 mx0.webpack.hosteurope.de ESMTP (mi005.mc1.hosteurope.de) (even more power) Wed, 04 May 2016 16:26:05 +0200
response 250 mi005.mc1.hosteurope.de Hello localhost.localdomain [80.154.108.228]
response 250 OK
response 250 Accepted
response 354 Enter message, ending with "." on a line by itself
response 250 OK id=1axxkb-00048e-GD
response 221 mi005.mc1.hosteurope.de closing connection
seq=1, connect=7.65 ms, helo=52.61 ms, mailfrom=62.02 ms, rcptto=77.89 ms, datasent=813.17 ms, quit=821.86 ms

--- 80.237.138.5 SMTP ping statistics ---
1 e-mail messages transmitted
connect min/avg/max = 7.65/7.65/7.65 ms
banner min/avg/max = 32.75/32.75/32.75 ms
helo min/avg/max = 52.61/52.61/52.61 ms
mailfrom min/avg/max = 62.02/62.02/62.02 ms
rcptto min/avg/max = 77.89/77.89/77.89 ms
data min/avg/max = 87.41/87.41/87.41 ms
datasent min/avg/max = 813.17/813.17/813.17 ms
quit min/avg/max = 821.86/821.86/821.86 ms

Here are a few screenshots from Wireshark, Cisco ESA, and Thunderbird with these test mails. Refer to the descriptions beneath the screenshots:

If no sender (-S mail@address.foo) is present, some email gateways will declare the messages as SPAM. Seen at the Cisco ESA appliance. This is how a test mail looks like in Thunderbird. Wireshark capture of smtpping: SYN, cleartext mail, FIN. Wireshark follow TCP stream 1/2. Wireshark follow TCP stream 2/2.

 

At the End

I am really happy with those tools. They are easy to use and can help monitoring some services while changing network or firewall settings. And they are a good argument for those security admins that still believe, that denying ping is a good security approach. Cheers!


Viewing all articles
Browse latest Browse all 311

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>