0

A recent pentest revealed that the TCP timestamp option was enabled. I have tried to reproduce the pentesters' result using 

hping3 --tcp-timestamp -S -p 80 xx.xx.xx.xx

but the tool never returns. It sits on the line:

HPING xx.xx.xx.xx (eth0 xx.xx.xx.xx): S set, 40 headers + 0 data bytes

If I enter Ctrl C I get:

--- xx.xx.xx.xx hping statistic --- 
3746 packets transmitted, 0 packets received, 100% packet loss 
round-trip min/avg/max = 0.0/0.0/0.0 ms

If I add the -c option with a value of, say, 4 it does return but without timestamp information.

I checked with our hosting provider who confirmed that the timestamp was enabled (and then disabled it).

Any ideas what might be wrong with my setup that could be causing this? I'm using Kali 2016.1 on a hyper-v hosted virtual server, tunneling out of our DMZ to a Digital Ocean hosted Debian server using sshuttle.

Paul
  • 3,278
Leo
  • 133

1 Answers1

0

It appears that while sshuttle supports tcp, it doesn't work at the packet level (a good explanation is here in the Discussion section). My guess is that hping can't handle the remote mirroring of the TCP session and hangs or times out, depending on the options that are set.

When I killed the tunnel, hping worked fine, albeit from within the DMZ which means I'm subject to the rules of the firewall and possibly being reflected inward when looking at servers in our network.

Leo
  • 133