Hping3 Reflection

    This final blog post will summarize my findings on my Capstone project on Hping3 forensics. Since my research portion was finished in the last blog post this post will focus on obscuring the data, catching the data using an intrusion detection system (IDS), and why this information is significant.

Obscuring the Data

    Hping3 has the ability to send entire documents through ICMP packets. In order to better obscure this data there are two ways that are ideal for data to sent over the network covertly. The first is setting a specific amount of bytes of data per packet. The two sizes that would be the lease suspicious would be one and forty-eight bytes. One byte would be ideal because of the size of the packet. A small ICMP packet is not an unusual, and would not raise suspicion. Forty-eight bytes on the other hand is the normal size of data found in an ICMP echo request. By matching an echo request size any IDS would not flag the packet based on its size.

    Below is command typed to send a document (test) through to an IP address (216.93.147.70) at one byte at a time (-d 1).

    The second way to better obscure the data being sent out is through delaying each request. By delaying request with data in them it slowly sends data out rather than all at once. It would be harder to catch data being sent out over a day than it would be in thirty seconds. 

Using an IDS

    In order to protect information an IDS can be used to catch Hping3. During testing Wireshark 1.10.2 was used not only to capture network packets, but also was used as an IDS. The following parameters were created to help filter legitimate packets from Hping3 packets.

    The first parameter was data =! 48. This would filter all packets that did not equal forty-eight bytes. This would catch any packet data that was not a normal ICMP packet. Although not all legitimate packets will be forty-eight bytes, it is a good parameter to set for catching nefarious ICMP traffic.

    The second parameter is timestamp = present. This parameter will filter all traffic with timestamps in their headers. Hping3 does not generate a timestamp when it sends an ICMP packet. You use the time stamp parameter to find non-hping3 packets, and the remainder packets should be inspected closer.

    These two parameters together would help detect and catch Hping3 packets leaving or entering a network both live, and as saved log files.

Significance

    The significance of my project had two primary goals. The first is to make people more aware of the simplicity and ease of creating covert channels that can move important data off of a network, and for companies to be aware of how the software works. The other significant reason for this research would be helpful for investigators to know where to look both on a local machine and on the network to find this software or similar network exfiltration tool. Greater exposure on both where to find artifacts, and how to use an IDS to catch use of this software could save time, and money. These reasons are why this project is significant, and hope that this information can help mitigate data theft.