Advanced Ping: httping, dnsping, smtpping

I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.

I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!

This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case a Ubuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions. Finally, a pcap file can be downloaded that shows the sample runs of all three tools.

httping

As the name implies, httping sends HTTP requests. Note that the name of the tool has only one “p” in its spelling. The tool is available at GitHub. Some information about it can be seen here. The installation process looks as follows:

(Note that a simple sudo apt-get install httping  delivers a very old version of httping and is not recommended.)

For a basic functionality it only needs the hostname as an option, such as httping weberblog.net . Many more options are available and it also supports HTTPS with SSL/TLS. Examples:

Following is a screenshot from httping with the color mode (-Y) and the –threshold-red and –threshold-yellow parameters (which I really like), as well as two screenshots from Wireshark, one with an http session (note the SYN packets as well as the HEAD request and 200 OK answer) and one with a https session (Client Hello, Application Data, …):

Windows: tcping.exe with -h

For Windows you can use tcping.exe with the “-h” flag, such as:

 

dnsping

The dnsping tool out of the DNSDiag toolkit, available on GitHub, sends DNS queries. To install it, use the following commands:

Without any further options it sends a type A query for the hostname to the default DNS server (/etc/resolv.conf). But a few options are possible, such as the DNS server (-s SERVER) or the type of the query (-t TYPE):

In Wireshark, it looks like that:

(Note the two other tools out of the DNSDiag kit:  dnseval.py  and dnstraceroute.py .)

smtpping

Finally, smtpping sends test mails. It defaults to “unlimited” mails, so be carefully with it and use the -c option! It is available at GitHub, too. Use the following commands to install it:

A sample run of four test mails is this: ./smtpping -c 4 johannes@webertest.net , but at least the sender (empty by default) with -S should be used. -d is the debug mode:

Here are a few screenshots from Wireshark, Cisco ESA, and Thunderbird with these test mails. Refer to the descriptions beneath the screenshots:

 

pcap

If you want to click around by yourself you can download the following pcap file. It consists of the traces shown above. (Only the packet numbers and the stream indices are not corresponding since it is not the full trace I initially saved.)

At the End

I am really happy with those tools. They are easy to use and can help monitoring some services while changing network or firewall settings. And they are a good argument for those security admins that still believe, that denying ping is a good security approach. Cheers!

Featured image: “Nachbarschaft” by Daniel Ullrich is licensed under CC BY-SA 2.0.

3 thoughts on “Advanced Ping: httping, dnsping, smtpping

Leave a Reply

Your email address will not be published. Required fields are marked *