Advanced Ping: httping, dnsping, smtpping

[Ldfa]

I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.

I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!

This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case a Ubuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions.

httping

As the name implies, httping sends HTTP requests. Note that the name of the tool has only one “p” in its spelling. The tool is available at GitHub. Some information about it can be seen here. The installation process looks as follows:

sudo apt-get install libncursesw5-dev libssl-dev libfftw3-dev gettext git clone https://github.com/flok99/httping.git cd httping/ sudo make install

(Note that a simple sudo apt-get install httping  delivers a very old version of httping and is not recommended.)

For a basic functionality it only needs the hostname as an option, such as httping blog.webernetz.net . Many more options are available and it also supports HTTPS with SSL/TLS. Examples:

weberjoh@jw-nb12:~$ httping blog.webernetz.net PING blog.webernetz.net:80 (blog.webernetz.net): connected to 80.237.133.136:80 (400 bytes), seq=0 time=381.24 ms connected to 80.237.133.136:80 (400 bytes), seq=1 time=394.30 ms connected to 80.237.133.136:80 (400 bytes), seq=2 time=373.54 ms connected to 80.237.133.136:80 (400 bytes), seq=3 time=370.39 ms connected to 80.237.133.136:80 (400 bytes), seq=4 time=396.91 ms ^CGot signal 2 --- blog.webernetz.net ping statistics --- 5 connects, 5 ok, 0.00% failed, time 6408ms round-trip min/avg/max = 370.4/383.3/396.9 ms weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ httping -6 https://www.insinuator.net/ Auto enabling SSL due to https-URL PING www.insinuator.net:443 (/): connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=0 time=685.03 ms connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=1 time=712.15 ms connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=2 time=631.81 ms connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=3 time=722.95 ms ^CGot signal 2 --- https://www.insinuator.net/ ping statistics --- 4 connects, 4 ok, 0.00% failed, time 6228ms round-trip min/avg/max = 631.8/688.0/723.0 ms weberjoh@jw-nb12:~$

Following is a screenshot from httping with the color mode (-Y) and the –threshold-red and –threshold-yellow parameters (which I really like), as well as two screenshots from Wireshark, one with an http session (note the SYN packets as well as the HEAD request and 200 OK answer) and one with a https session (Client Hello, Application Data, …):

httping with color mode.

httping to an http host.

httping to an https host.

dnsping

The dnsping tool out of the DNSDiag toolkit, available on GitHub, sends DNS queries. To install it, use the following commands:

git clone https://github.com/farrokhi/dnsdiag.git cd dnsdiag/ git submodule update --init

Without any further options it sends a type A query for the hostname to the default DNS server (/etc/resolv.conf). But a few options are possible, such as the DNS server (-s SERVER) or the type of the query (-t TYPE):

weberjoh@jw-nb12:~$ cd dnsdiag/ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py blog.webernetz.net dnsping.py 8.8.8.8: hostname=blog.webernetz.net rdatatype=A 45 bytes from 8.8.8.8: seq=0   time=17.682 ms 44 bytes from 8.8.8.8: seq=1   time=15.788 ms 45 bytes from 8.8.8.8: seq=2   time=31.627 ms 45 bytes from 8.8.8.8: seq=3   time=32.032 ms 45 bytes from 8.8.8.8: seq=4   time=16.608 ms 45 bytes from 8.8.8.8: seq=5   time=15.957 ms 44 bytes from 8.8.8.8: seq=6   time=16.467 ms 45 bytes from 8.8.8.8: seq=7   time=32.676 ms 45 bytes from 8.8.8.8: seq=8   time=16.101 ms 45 bytes from 8.8.8.8: seq=9   time=28.697 ms --- 8.8.8.8 dnsping statistics --- 10 requests transmitted, 10 responses received,   0% lost min=15.788 ms, avg=22.364 ms, max=32.676 ms, stddev=7.739 ms weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py -s ns1.weberdns.de -t aaaa pa.weberdns.de dnsping.py DNS: 2003:51:6012:110::22:53, hostname: pa.weberdns.de, rdatatype: aaaa 48 bytes from 2003:51:6012:110::22: seq=0   time=11.289 ms 48 bytes from 2003:51:6012:110::22: seq=1   time=2.408 ms 48 bytes from 2003:51:6012:110::22: seq=2   time=1.933 ms 48 bytes from 2003:51:6012:110::22: seq=3   time=1.881 ms 48 bytes from 2003:51:6012:110::22: seq=4   time=1.911 ms 48 bytes from 2003:51:6012:110::22: seq=5   time=1.859 ms 48 bytes from 2003:51:6012:110::22: seq=6   time=1.889 ms 48 bytes from 2003:51:6012:110::22: seq=7   time=1.846 ms 48 bytes from 2003:51:6012:110::22: seq=8   time=1.888 ms 48 bytes from 2003:51:6012:110::22: seq=9   time=1.867 ms --- 2003:51:6012:110::22 dnsping statistics --- 10 requests transmitted, 10 responses received,   0% lost min=1.846 ms, avg=2.877 ms, max=11.289 ms, stddev=2.960 ms weberjoh@jw-nb12:~/dnsdiag$

In Wireshark, it looks like that:

(Note the two other tools out of the DNSDiag kit:  dnseval.py  and dnstraceroute.py .)

smtpping

Finally, smtpping sends test mails. It defaults to “unlimited” mails, so be carefully with it and use the -c option! It is available at GitHub, too. Use the following commands to install it:

git clone https://github.com/halonsecurity/smtpping.git cd smtpping/

A sample run of four test mails is this: ./smtpping -c 4 johannes@webertest.net , but at least the sender (empty by default) with -S should be used. -d is the debug mode:

weberjoh@jw-nb12:~$ cd smtpping/ weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 4 johannes@webertest.net PING johannes@webertest.net ([80.154.108.237]:25): 10305 bytes (SMTP DATA) seq=1, connect=1.14 ms, helo=5.46 ms, mailfrom=7.56 ms, rcptto=9.13 ms, datasent=35.17 ms, quit=37.37 ms seq=2, connect=1.52 ms, helo=3.55 ms, mailfrom=5.18 ms, rcptto=8.09 ms, datasent=30.68 ms, quit=35.81 ms seq=3, connect=1.18 ms, helo=2.73 ms, mailfrom=3.86 ms, rcptto=4.92 ms, datasent=24.40 ms, quit=28.19 ms seq=4, connect=1.34 ms, helo=5.34 ms, mailfrom=6.51 ms, rcptto=7.59 ms, datasent=38.38 ms, quit=43.11 ms --- 80.154.108.237 SMTP ping statistics --- 4 e-mail messages transmitted connect min/avg/max = 1.14/1.29/1.52 ms banner min/avg/max = 1.97/2.92/4.36 ms helo min/avg/max = 2.73/4.27/5.46 ms mailfrom min/avg/max = 3.86/5.78/7.56 ms rcptto min/avg/max = 4.92/7.43/9.13 ms data min/avg/max = 5.66/8.24/9.70 ms datasent min/avg/max = 24.40/32.16/38.38 ms quit min/avg/maxAfficher l’article complet