I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.
I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!
This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case a Ubuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions.
httping
As the name implies, httping sends HTTP requests. Note that the name of the tool has only one “p” in its spelling. The tool is available at GitHub. Some information about it can be seen here. The installation process looks as follows:
sudo apt-get install libncursesw5-dev libssl-dev libfftw3-dev gettext git clone https://github.com/flok99/httping.git cd httping/ sudo make install
(Note that a simple
sudo apt-get install httpingdelivers a very old version of httping and is not recommended.)
For a basic functionality it only needs the hostname as an option, such as
httping blog.webernetz.net. Many more options are available and it also supports HTTPS with SSL/TLS. Examples:
weberjoh@jw-nb12:~$ httping blog.webernetz.net PING blog.webernetz.net:80 (blog.webernetz.net): connected to 80.237.133.136:80 (400 bytes), seq=0 time=381.24 ms connected to 80.237.133.136:80 (400 bytes), seq=1 time=394.30 ms connected to 80.237.133.136:80 (400 bytes), seq=2 time=373.54 ms connected to 80.237.133.136:80 (400 bytes), seq=3 time=370.39 ms connected to 80.237.133.136:80 (400 bytes), seq=4 time=396.91 ms ^CGot signal 2 --- blog.webernetz.net ping statistics --- 5 connects, 5 ok, 0.00% failed, time 6408ms round-trip min/avg/max = 370.4/383.3/396.9 ms weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ weberjoh@jw-nb12:~$ httping -6 https://www.insinuator.net/ Auto enabling SSL due to https-URL PING www.insinuator.net:443 (/): connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=0 time=685.03 ms connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=1 time=712.15 ms connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=2 time=631.81 ms connected to [2003:60:4010:11b0::12]:443 (279 bytes), seq=3 time=722.95 ms ^CGot signal 2 --- https://www.insinuator.net/ ping statistics --- 4 connects, 4 ok, 0.00% failed, time 6228ms round-trip min/avg/max = 631.8/688.0/723.0 ms weberjoh@jw-nb12:~$
Following is a screenshot from httping with the color mode (-Y) and the –threshold-red and –threshold-yellow parameters (which I really like), as well as two screenshots from Wireshark, one with an http session (note the SYN packets as well as the HEAD request and 200 OK answer) and one with a https session (Client Hello, Application Data, …):
dnsping
The dnsping tool out of the DNSDiag toolkit, available on GitHub, sends DNS queries. To install it, use the following commands:
git clone https://github.com/farrokhi/dnsdiag.git cd dnsdiag/ git submodule update --init
Without any further options it sends a type A query for the hostname to the default DNS server (/etc/resolv.conf). But a few options are possible, such as the DNS server (-s SERVER) or the type of the query (-t TYPE):
weberjoh@jw-nb12:~$ cd dnsdiag/ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py blog.webernetz.net dnsping.py 8.8.8.8: hostname=blog.webernetz.net rdatatype=A 45 bytes from 8.8.8.8: seq=0 time=17.682 ms 44 bytes from 8.8.8.8: seq=1 time=15.788 ms 45 bytes from 8.8.8.8: seq=2 time=31.627 ms 45 bytes from 8.8.8.8: seq=3 time=32.032 ms 45 bytes from 8.8.8.8: seq=4 time=16.608 ms 45 bytes from 8.8.8.8: seq=5 time=15.957 ms 44 bytes from 8.8.8.8: seq=6 time=16.467 ms 45 bytes from 8.8.8.8: seq=7 time=32.676 ms 45 bytes from 8.8.8.8: seq=8 time=16.101 ms 45 bytes from 8.8.8.8: seq=9 time=28.697 ms --- 8.8.8.8 dnsping statistics --- 10 requests transmitted, 10 responses received, 0% lost min=15.788 ms, avg=22.364 ms, max=32.676 ms, stddev=7.739 ms weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ weberjoh@jw-nb12:~/dnsdiag$ ./dnsping.py -s ns1.weberdns.de -t aaaa pa.weberdns.de dnsping.py DNS: 2003:51:6012:110::22:53, hostname: pa.weberdns.de, rdatatype: aaaa 48 bytes from 2003:51:6012:110::22: seq=0 time=11.289 ms 48 bytes from 2003:51:6012:110::22: seq=1 time=2.408 ms 48 bytes from 2003:51:6012:110::22: seq=2 time=1.933 ms 48 bytes from 2003:51:6012:110::22: seq=3 time=1.881 ms 48 bytes from 2003:51:6012:110::22: seq=4 time=1.911 ms 48 bytes from 2003:51:6012:110::22: seq=5 time=1.859 ms 48 bytes from 2003:51:6012:110::22: seq=6 time=1.889 ms 48 bytes from 2003:51:6012:110::22: seq=7 time=1.846 ms 48 bytes from 2003:51:6012:110::22: seq=8 time=1.888 ms 48 bytes from 2003:51:6012:110::22: seq=9 time=1.867 ms --- 2003:51:6012:110::22 dnsping statistics --- 10 requests transmitted, 10 responses received, 0% lost min=1.846 ms, avg=2.877 ms, max=11.289 ms, stddev=2.960 ms weberjoh@jw-nb12:~/dnsdiag$
In Wireshark, it looks like that:
(Note the two other tools out of the DNSDiag kit:
dnseval.pyand
dnstraceroute.py.)
smtpping
Finally, smtpping sends test mails. It defaults to “unlimited” mails, so be carefully with it and use the -c option! It is available at GitHub, too. Use the following commands to install it:
git clone https://github.com/halonsecurity/smtpping.git cd smtpping/ cmake . make
A sample run of four test mails is this:
./smtpping -c 4 johannes@webertest.net, but at least the sender (empty by default) with -S should be used. -d is the debug mode:
weberjoh@jw-nb12:~$ cd smtpping/ weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 4 johannes@webertest.net PING johannes@webertest.net ([80.154.108.237]:25): 10305 bytes (SMTP DATA) seq=1, connect=1.14 ms, helo=5.46 ms, mailfrom=7.56 ms, rcptto=9.13 ms, datasent=35.17 ms, quit=37.37 ms seq=2, connect=1.52 ms, helo=3.55 ms, mailfrom=5.18 ms, rcptto=8.09 ms, datasent=30.68 ms, quit=35.81 ms seq=3, connect=1.18 ms, helo=2.73 ms, mailfrom=3.86 ms, rcptto=4.92 ms, datasent=24.40 ms, quit=28.19 ms seq=4, connect=1.34 ms, helo=5.34 ms, mailfrom=6.51 ms, rcptto=7.59 ms, datasent=38.38 ms, quit=43.11 ms --- 80.154.108.237 SMTP ping statistics --- 4 e-mail messages transmitted connect min/avg/max = 1.14/1.29/1.52 ms banner min/avg/max = 1.97/2.92/4.36 ms helo min/avg/max = 2.73/4.27/5.46 ms mailfrom min/avg/max = 3.86/5.78/7.56 ms rcptto min/avg/max = 4.92/7.43/9.13 ms data min/avg/max = 5.66/8.24/9.70 ms datasent min/avg/max = 24.40/32.16/38.38 ms quit min/avg/max = 28.19/36.12/43.11 ms weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ weberjoh@jw-nb12:~/smtpping$ ./smtpping -c 1 -S johannes@webertest.net -d johannes@webernetz.net PING johannes@webernetz.net ([80.237.138.5]:25): 10253 bytes (SMTP DATA) response 220 mx0.webpack.hosteurope.de ESMTP (mi005.mc1.hosteurope.de) (even more power) Wed, 04 May 2016 16:26:05 +0200 response 250 mi005.mc1.hosteurope.de Hello localhost.localdomain [80.154.108.228] response 250 OK response 250 Accepted response 354 Enter message, ending with "." on a line by itself response 250 OK id=1axxkb-00048e-GD response 221 mi005.mc1.hosteurope.de closing connection seq=1, connect=7.65 ms, helo=52.61 ms, mailfrom=62.02 ms, rcptto=77.89 ms, datasent=813.17 ms, quit=821.86 ms --- 80.237.138.5 SMTP ping statistics --- 1 e-mail messages transmitted connect min/avg/max = 7.65/7.65/7.65 ms banner min/avg/max = 32.75/32.75/32.75 ms helo min/avg/max = 52.61/52.61/52.61 ms mailfrom min/avg/max = 62.02/62.02/62.02 ms rcptto min/avg/max = 77.89/77.89/77.89 ms data min/avg/max = 87.41/87.41/87.41 ms datasent min/avg/max = 813.17/813.17/813.17 ms quit min/avg/max = 821.86/821.86/821.86 ms
Here are a few screenshots from Wireshark, Cisco ESA, and Thunderbird with these test mails. Refer to the descriptions beneath the screenshots:
At the End
I am really happy with those tools. They are easy to use and can help monitoring some services while changing network or firewall settings. And they are a good argument for those security admins that still believe, that denying ping is a good security approach. Cheers!