usage: hping3 host [options]<br /> -h –help show this help<br /> -v –version show version<br /> -c –count packet count<br /> -i –interval wait (uX for X microseconds, for example -i u1000)<br /> –fast alias for -i u10000 (10 packets for second)<br /> –faster alias for -i u1000 (100 packets for second)<br /> –flood sent packets as fast as possible. Don't show replies.<br /> -n –numeric numeric output<br /> -q –quiet quiet<br /> -I –interface interface name (otherwise default routing interface)<br /> -V –verbose verbose mode<br /> -D –debug debugging info<br /> -z –bind bind ctrl+z to ttl (default to dst port)<br /> -Z –unbind unbind ctrl+z<br /> –beep beep for every matching packet received<br />Mode<br /> default mode TCP<br /> -0 –rawip RAW IP mode<br /> -1 –icmp ICMP mode<br /> -2 –udp UDP mode<br /> -8 –scan SCAN mode.<br /> Example: hping –scan 1-30,70-90 -S www.target.host<br /> -9 –listen listen mode<br />IP<br /> -a –spoof spoof source address<br /> –rand-dest random destionation address mode. see the man.<br /> –rand-source random source address mode. see the man.<br /> -t –ttl ttl (default 64)<br /> -N –id id (default random)<br /> -W –winid use win id byte ordering<br /> -r –rel relativize id field (to estimate host traffic)<br /> -f –frag split packets in more frag. (may pass weak acl)<br /> -x –morefrag set more fragments flag<br /> -y –dontfrag set don't fragment flag<br /> -g –fragoff set the fragment offset<br /> -m –mtu set virtual mtu, implies –frag if packet size > mtu<br /> -o –tos type of service (default 0x00), try –tos help<br /> -G –rroute includes RECORD_ROUTE option and display the route buffer<br /> –lsrr loose source routing and record route<br /> –ssrr strict source routing and record route<br /> -H –ipproto set the IP protocol field, only in RAW IP mode<br />ICMP<br /> -C –icmptype icmp type (default echo request)<br /> -K –icmpcode icmp code (default 0)<br /> –force-icmp send all icmp types (default send only supported types)<br /> –icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)<br /> –icmp-ts Alias for –icmp –icmptype 13 (ICMP timestamp)<br /> –icmp-addr Alias for –icmp –icmptype 17 (ICMP address subnet mask)<br /> –icmp-help display help for others icmp options<br />UDP/TCP<br /> -s –baseport base source port (default random)<br /> -p –destport [+|+]<port> destination port(default 0) ctrl+z inc/dec<br /> -k –keep keep still source port<br /> -w –win winsize (default 64)<br /> -O –tcpoff set fake tcp data offset (instead of tcphdrlen / 4)<br /> -Q –seqnum shows only tcp sequence number<br /> -b –badcksum (try to) send packets with a bad IP checksum<br /> many systems will fix the IP checksum sending the packet<br /> so you'll get bad UDP/TCP checksum instead.<br /> -M –setseq set TCP sequence number<br /> -L –setack set TCP ack<br /> -F –fin set FIN flag<br /> -S –syn set SYN flag<br /> -R –rst set RST flag<br /> -P –push set PUSH flag<br /> -A –ack set ACK flag<br /> -U –urg set URG flag<br /> -X –xmas set X unused flag (0x40)<br /> -Y –ymas set Y unused flag (0x80)<br /> –tcpexitcode use last tcp->th_flags as exit code<br /> –tcp-mss enable the TCP MSS option with the given value<br /> –tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime<br />Common<br /> -d –data data size (default is 0)<br /> -E –file data from file<br /> -e –sign add 'signature'<br /> -j –dump dump packets in hex<br /> -J –print dump printable characters<br /> -B –safe enable 'safe' protocol<br /> -u –end tell you when –file reached EOF and prevent rewind<br /> -T –traceroute traceroute mode (implies –bind and –ttl 1)<br /> –tr-stop Exit when receive the first not ICMP in traceroute mode<br /> –tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop<br /> –tr-no-rtt Don't calculate/show RTT information in traceroute mode<br />ARS packet description (new, unstable)<br /> –apd-send Send the packet described with APD (see docs/APD.txt)
===== Man Page =====
==== Synopsis ====
<div id“adright”><ins><ins id
“aswift_0_anchor”></ins></ins></div>
hping3 [-hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [-c _count] [-i _wait] [–fast ] [-I _interface] [-9 _signature] [-a _host] [-t _ttl] [-N _ip id] [-H _ip protocol] [-g _fragoff] [-m _mtu] [-o _tos] [-C _icmp type] [-K _icmp code] [-s _source port] [-p[+|+] _dest port] [-w _tcp window] [-O _tcp offset] [-M _tcp sequence number] [-L _tcp ack] [-d _data size] [-E _filename] [-e _signature] [–icmp-ipver _version] [–icmp-iphlen _length] [–icmp-iplen _length] [–icmp-ipid _id] [–icmp-ipproto _protocol] [–icmp-cksum _checksum] [–icmp-ts ] [–icmp-addr ] [–tcpexitcode ] [–tcp-timestamp ] [–tr-stop ] [–tr-keep-ttl ] [–tr-no-rtt ] [–rand-dest ] [–rand-source ] [–beep ] hostname
==== Description ====
hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able to perform at least the following stuff:
- Test firewall rules - Advanced port scanning - Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. - Path MTU discovery - Transferring files between even really fascist firewall rules. - Traceroute-like under different protocols. - Firewalk-like usage. - Remote OS fingerprinting. - TCP/IP stack auditing. - A lot of others.
It's also a good didactic tool to learn TCP/IP_. hping3 is developed and maintained by antirez@invece.org and is licensed under GPL version 2. Development is open so you can send me patches, suggestion and affronts without inhibitions.
==== Hping Site ====
primary site athttp://www.hping.org. You can found both the stable release and the instruction to download the latest source code at http://www.hping.org/download.html
==== Base Options ====
-h –helpShow an help screen on standard output, so you can pipe to less.
$ _-v –version_: Show version information and API used to access to data link layer, _linux sock packetor _libpcap. $ _-c –count count_: Stop after sending (and receiving) _countresponse packets. After last packet was send hping3 wait COUNTREACHED_TIMEOUT seconds target host replies. You are able to tune COUNTREACHED_TIMEOUT editing hping3.h
$ _-i –interval_: Wait the specified number of seconds or micro seconds between sending each packet. –interval X set _waitto X seconds, –interval uX set _waitto X micro seconds. The default is to wait one second between each packet. Using hping3 to transfer files tune this option is really important in order to increase transfer rate. Even using hping3 to perform idle/spoofing scanning you should tune this option, seeHPING3-HOWTO for more information.
$ _–faster_: Alias for -i u1. Faster then –fast ;) (but not as fast as your computer can send packets due to the signal-driven design).
$ _–flood_: Sent packets as fast as possible, without taking care to show incoming replies. This is ways faster than to specify the -i u0 option.
$ _-n –numeric_: Numeric output only, No attempt will be made to lookup symbolic names for host addresses.
$ _-q –quiet_: Quiet output. Nothing is displayed except the summary lines at startup time and when finished.
$ _-I –interface interface name_: By default on linux and BSD systems hping3 uses default routing interface. In other systems or when there is no default route hping3 uses the first non-loopback interface. However you are able to force hping3 to use the interface you need using this option. Note: you don't need to specify the whole name, for example -I et will match eth0 ethernet0 myet1 et cetera. If no interfaces match hping3 will try to use lo.
$ _-V –verbose_: Enable verbose output. TCP replies will be shown as follows: <p>len46 ip
192.168.1.1 flagsRA DF seq
0 ttl255 id
0 win0 rtt
0.4 ms tos0 iplen
40 seq0 ack
1380893504 sum2010 urp
0</p>
$ _-D –debug_: Enable debug mode, it's useful when you experience some problem with hping3. When debug mode is enabled you will get more information aboutinterface detection, data link layer access, interface settings, options parsing, fragmentation, HCMP protocol and other stuff.
$ _-z –bind_: Bind CTRL+Z totime to live (TTL) so you will able to increment/decrement ttl of outgoing packets pressing CTRL+Z once or twice.
$ _-Z –unbind_: Unbind CTRL+Z so you will able to stop hping3. $ _–beep<p>Beep for every matching received packet (but not for ICMP errors).</p> :
==== Protocol Selection ====
Default protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with a winsize of 64 without any tcp flag on. Often this is the best way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not being logged.
$ _-0 –rawip_: RAW IP mode, in this mode hping3 will send IP header with data appended with –signature and/or –file, see also –ipproto that allows you to set the ip protocol field.
$ _-1 –icmp_: ICMP mode, by default hping3 will send ICMP echo-request, you can set other ICMP type/code using–icmptype –icmpcode options.
$ _-2 –udp_: UDP mode, by default hping3 will send udp to target host's port 0. UDP header tunable options are the following:–baseport, –destport, –keep.
$ _-8 –scan_: Scan mode, the option expects an argument that describes groups of ports to scan. port groups are comma separated: a number describes just a single port, so 1,2,3 means port 1, 2 and 3. ranges are specified using a start-end notation, like 1-1000, that tell hping to scan ports between 1 and 1000 (included). the special wordall is an alias for 0-65535, while the special wordknown includes all the ports listed in /etc/services.<br /> Groups can be combined, so the following command line will scan ports between 1 and 1000 AND port 8888 AND ports listed in /etc/services: <strong>hping –scan 1-1000,8888,known -S target.host.com</strong><br /> Groups can be negated (subtracted) using a ! character as prefix, so the following command line will scan all the ports NOT listed in /etc/services in the range 1-1024: <strong>hping –scan '1-1024,!known' -S target.host.com</strong><br /> Keep in mind that while hping seems much more like a port scanner in this mode, most of the hping switches are still honored, so for example to perform a SYN scan you need to specify the-S option, you can change the TCP windows size, TTL, control the IP fragmentation as usually, and so on. The only real difference is that the standard hping behaviors are encapsulated into a scanning algorithm.<strong><br /> Tech note</strong>: The scan mode uses a two-processes design, with shared memory for synchronization. The scanning algorithm is still not optimal, but already quite fast.<strong><br /> Hint</strong>: unlike most scanners, hping shows some interesting info about received packets, the IP ID, TCP win, TTL, and so on, don't forget to look at this additional information when you perform a scan! Sometimes they shows interesting details.
$ _-9 –listen signature_: HPING3 listen mode, using this option hping3 waits for packet that contain _signatureand dump from _signatureend to packet's end. For example if hping3 –listen TEST reads a packet that contain234-09sdflkjs45-TESThello_world it will displayhello_world.
==== IP Related Options ====
-a –spoof hostnameUse this option in order to set a fake IP source address, this option ensures that target will not gain your real address. However replies will be sent to spoofed address, so you will can't see them. In order to see how it's possible to perform spoofed/idle scanning see theHPING3-HOWTO.
$ _–rand-source_: This option enables therandom source mode. hping will send packets with random source address. It is interesting to use this option to stress firewall state tables, and other per-ip basis dynamic tables inside the TCP/IP stacks and firewall software.
$ _–rand-dest_: This option enables therandom destination mode. hping will send the packets to random addresses obtained following the rule you specify as the target host. You need to specify a numerical IP address as target host like10.0.0.x. All the occurrences ofx will be replaced with a random number in the range 0-255. So to obtain Internet IP addresses in the whole IPv4 space use something likehping x.x.x.x –rand-dest. If you are not sure about what kind of addresses your rule is generating try to use the–debug switch to display every new destination address generated. When this option is turned on, matching packets will be accept from all the destinations.<strong><br /> Warning</strong>: when this option is enabled hping can't detect the right outgoing interface for the packets, so you should use the–interface option to select the desired outgoing interface.
$ _-t –ttl time to live_: Using this option you can setTTL (time to live) of outgoing packets, it's likely that you will use this with–traceroute or–bind options. If in doubt try '<strong>hping3 some.host.com -t 1 –traceroute</strong>'.
$ _-N –id_: Set ip->id field. Default id is random but if fragmentation is turned on and id isn't specified it will begetpid() & 0xFF, to implement a better solution is in TODO list.
$ _-H –ipproto_: Set the ip protocol in RAW IP mode.
$ _-W –winid_: id from Windows systems before Win2k has different byte ordering, if this option is enable hping3 will properly display id replies from those Windows.
$ _-r –rel_: Display id increments instead of id. See theHPING3-HOWTO for more information. Increments aren't computed as id[N]-id[N-1] but using packet loss compensation. See relid.c for more information.
$ _-f –frag_: Split packets in more fragments, this may be useful in order to test IP stacks fragmentation performance and to test if some packet filter is so weak that can be passed using tiny fragments (anachronistic). Default 'virtual mtu' is 16 bytes. see also _–mtuoption.
$ _-x –morefrag_: Set more fragments IP flag, use this option if you want that target host send anICMP time-exceeded during reassembly.
$ _-y –dontfrag_: Set don't fragment IP flag, this can be used to performMTU path discovery.
$ _-g –fragoff fragment offset value_: Set the fragment offset.
$ _-m –mtu mtu value_: Set different 'virtual mtu' than 16 when fragmentation is enabled. If packets size is greater that 'virtual mtu' fragmentation is automatically turned on.
$ _-o –tos hex_tos_: SetType Of Service (TOS), for more information try–tos help.
$ _-G –rroute_: Record route. Includes the RECORD_ROUTE option in each packet sent and displays the route buffer of returned packets. Note that the IP header is only large enough for nine such routes. Many hosts ignore or discard this option. Also note that using hping you are able to use record route even if target host filter ICMP. Record route is an IP option, not an ICMP option, so you can use record route option even in TCP and UDP mode.
==== Icmp Related Options ====
-C –icmptype typeSet icmp type, default isICMP echo request (implies –icmp).
$ _-K –icmpcode code_: Set icmp code, default is 0 (implies –icmp).
$ _–icmp-ipver_: Set IP version of IP header contained into ICMP data, default is 4.
$ _–icmp-iphlen_: Set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).
$ _–icmp-iplen_: Set IP packet length of IP header contained into ICMP data, default is the real length.
$ _–icmp-ipid_: Set IP id of IP header contained into ICMP data, default is random.
$ _–icmp-ipproto_: Set IP protocol of IP header contained into ICMP data, default is TCP.
$ _–icmp-cksum_: Set ICMP checksum, for default is the valid checksum.
$ _–icmp-ts_: Alias for –icmptype 13 (to send ICMP timestamp requests).
$ _–icmp-addr_: Alias for –icmptype 17 (to send ICMP address mask requests).
==== TCP/UDP RELATED OPTIONS ====
-s –baseport source porthping3 uses source port in order to guess replies sequence number. It starts with a base source port number, and increase this number for each packet sent. When packet is received sequence number can be computed as _replies.dest.port - base.source.port_. Default base source port is random, using this option you are able to set different number. If you need that source port not be increased for each sent packet use the _-k –keepoption.
$ _-p –destport [+|+]dest port_: Set destination port, default is 0. If '+' character precedes dest port number (i.e. +1024) destination port will be increased for each reply received. If double '+' precedes dest port number (i.e. ++1024), destination port will be increased for each packet sent. By default destination port can be modified interactively usingCTRL+z.
$ _-w –win_: Set TCP window size. Default is 64.
$ _-O –tcpoff_: Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
$ _-M –setseq_: Set the TCP sequence number.
$ _-L –setack_: Set the TCP ack.
$ _-Q –seqnum_: This option can be used in order to collect sequence numbers generated by target host. This can be useful when you need to analyze whether TCP sequence number is predictable. Output example: <p>#hping3 win98 –seqnum -p 139 -S -i u1 -I eth0 </p> <code>HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes 2361294848 +2361294848 2411626496 +50331648 2545844224 +134217728 2713616384 +167772160 2881388544 +167772160 3049160704 +167772160 3216932864 +167772160 3384705024 +167772160 3552477184 +167772160 3720249344 +167772160 3888021504 +167772160 4055793664 +167772160 4223565824 +167772160</code> The first column reports the sequence number, the second difference between current and last sequence number. As you can see target host's sequence numbers are predictable.
$ _-b –badcksum_: Send packets with a bad UDP/TCP checksum.
$ _–tcp-timestamp_: Enable the TCP timestamp option, and try to guess the timestamp update frequency and the remote system uptime.
$ _-F –fin_: Set FIN tcp flag.
$ _-S –syn_: Set SYN tcp flag.
$ _-R –rst_: Set RST tcp flag.
$ _-P –push_: Set PUSH tcp flag.
$ _-A –ack_: Set ACK tcp flag.
$ _-U –urg_: Set URG tcp flag.
$ _-X –xmas_: Set Xmas tcp flag.
$ _-Y –ymas_: Set Ymas tcp flag.
==== Common Options ====
-d –data data sizeSet packet body size. Warning, using –data 40 hping3 will not generate 0 byte packets but protocol_header+40 bytes. hping3 will display packet size information as first line output, like this:HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 40 data bytes
$ _-E –file filename_: Usefilename contents to fill packet's data.
$ _-e –sign signature_: Fill first _signature lengthbytes of data with _signature_. If the _signature lengthis bigger than data size an error message will be displayed. If you don't specify the data size hping will use the signature size as data size. This option can be used safely with _–file filenameoption, remainder data space will be filled using _filename_.
$ _-j –dump_: Dump received packets in hex.
$ _-J –print_: Dump received packets' printable characters.
$ _-B –safe_: Enable safe protocol, using this option lost packets in file transfers will be resent. For example in order to send file /etc/passwd from host A to host B you may use the following: <code><em>[host_a] </em># hping3 host_b –udp -p 53 -d 100 –sign signature –safe –file /etc/passwd _[host_b]# hping3 host_a –listen signature –safe –icmp </code>
$ _-u –end_: If you are using _–file filenameoption, tell you when EOF has been reached. Moreover prevent that other end accept more packets. Please, for more information see theHPING3-HOWTO.
$ _-T –traceroute_: Traceroute mode. Using this option hping3 will increase ttl for eachICMP time to live 0 during transit received. Tryhping3 host –traceroute. This option implies –bind and –ttl 1. You can override the ttl of 1 using the –ttl option. Since 2.0.0 stable it prints RTT information.
$ _–tr-keep-ttl_: Keep the TTL fixed in traceroute mode, so you can monitor just one hop in the route. For example, to monitor how the 5th hop changes or how its RTT changes you can tryhping3 host –traceroute –ttl 5 –tr-keep-ttl.
$ _–tr-stop_: If this option is specified hping will exit once the first packet that isn't an ICMP time exceeded is received. This better emulates the traceroute behavior.
$ _–tr-no-rtt_: Don't show RTT information in traceroute mode. The ICMP time exceeded RTT information aren't even calculated if this option is set.
$ _–tcpexitcode_: Exit with last received packet tcp->th_flag as exit code. Useful for scripts that need, for example, to known if the port 999 of some host reply with SYN/ACK or with RST in response to SYN, i.e. the service is up or down.
==== Tcp Output Format ====
The standard TCP output format is the following:
len46 ip
192.168.1.1 flagsRA DF seq
0 ttl255 id
0 win0 rtt
0.4 ms
len is the size, in bytes, of the data captured from the data link layer excluding the data link header size. This may not match the IP datagram size due to low level transport layer padding.
ip is the source ip address.
flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard 0x80.
If the reply containsDF the IP header has the don't fragment bit set.
seq is the sequence number of the packet, obtained using the source port for TCP/UDP packets, the sequence field for ICMP packets.
id is the IP ID field.
win is the TCP window size.
rtt is the round trip time in milliseconds.
If you run hping using the-V command line switch it will display additional information about the packet, example:
len46 ip
192.168.1.1 flagsRA DF seq
0 ttl255 id
0 win0 rtt
0.4 ms tos0 iplen
40 seq0 ack
1223672061 sume61d urp
0
tos is the type of service field of the IP header.
iplen is the IP total len field.
seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.
sum is the TCP header checksum value.
urp is the TCP urgent pointer value.
==== Udp Output Format ====
The standard output format is:
len46 ip
192.168.1.1 seq0 ttl
64 id0 rtt
6.0 ms
The field meaning is just the same as the TCP output meaning of the same fields.
==== Icmp Output Format ====
An example of ICMP output is:
ICMP Port Unreachable from ip192.168.1.1 name
nano.marmoc.net
It is very simple to understand. It starts with the string “ICMP” followed by the description of the ICMP error, Port Unreachable in the example. The ip field is the IP source address of the IP datagram containing the ICMP error, the name field is just the numerical address resolved to a name (a dns PTR request) or UNKNOWN if the resolution failed.
The ICMP Time exceeded during transit or reassembly format is a bit different:
TTL 0 during transit from ip192.168.1.1 name
nano.marmoc.net
TTL 0 during reassembly from ip192.70.106.25 name
UNKNOWN
The only difference is the description of the error, it starts with TTL 0.
==== Author ====
Salvatore Sanfilippo < antirez@invece.org>, with the help of the people mentioned in AUTHORS file and at http://www.hping.org/authors.html
==== Bugs ====
Even using the –end and –safe options to transfer files the final packet will be padded with 0x00 bytes.
Data is read without care about alignment, but alignment is enforced in the data structures. This will not be a problem under i386 but, while usually the TCP/IP headers are naturally aligned, may create problems with different processors and bogus packets if there is some unaligned access around the code (hopefully none).
On solaris hping does not work on the loopback interface. This seems a solaris problem, as stated in the tcpdump-workers mailing list, so the libpcap can't do nothing to handle it properly.
===== Examples =====
Often considered a complementary tool to Nmap, hping is used for network scanning, as well as crafting TCP/IP packets. Please note that given the packet crafting involved, if you are running as root yet you receive an error saying that the operation is not permitted it could be due to a host firewall.
Send TCP SYN packets to port 0 on host example.com (note that hping will increment the source port by 1 for each packet sent):
hping example.com -S -V
Send TCP SYN packets to port 443 on host example.com:
hping example.com -S -V -p 443
Send TCP packets to port 443 on host example.com with the SYN + ACK flags set:
hping example.com -S -A -V -p 443
Send TCP packets to port 443 on host example.com with the SYN + ACK + FIN flags set:
hping example.com -S -A -F -V -p 443
Send TCP SYN packets every 5 seconds to port 443 on host example.com:
hping example.com -S -V -p 443 -i 5
Send TCP SYN packets every 100,000 microseconds (i.e. every 0.1 second or 10 per second) to port 443 on host example.com. Note that verbose has been removed:
hping example.com -S -p 443 -i u100000
Send TCP SYN packets every 10,000 microseconds (i.e. every 0.01 second or 100 per second) to port 443 on host example.com:
hping example.com -S -p 443 -i u10000
Send TCP SYN packets every 10,000 microseconds (i.e. every 0.01 second or 100 per second) to port 443 on host example.com. Stop after 500 packets:
hping example.com -S -p 443 -i u10000 -c 500
Send UDP packets to port 111 on host example.com (argument –udp can be substituted with -2):
hping example.com –udp -V -p 111
Send ICMP echo request packets to host example.com (argument –icmp can be substituted with -1):
hping example.com –icmp -V
Send ICMP timestamp request packets to host example.com:
hping example.com –icmp –icmp-ts -V
Portscan TCP ports 100 to 110 on host example.com (argument –scan can be substituted with -8)
hping example.com -V –scan 100-110
Send UDP packets spoofed to be from source host 192.168.1.150 to host example.com
hping example.com –udp –spoof 192.168.1.150
Send UDP packets spoofed to be from various random source IP addresses to host example.com
hping example.com –udp –rand-source
Send UDP packets with the data portion padded with 100 bytes to host example.com
hping example.com -V –udp –data 100
Send UDP packets with the data portion padded with 100 bytes but containing the contents of payload.txt to host example.com (the payload will be truncated if it is smaller than what is specified by the –data argument)
hping example.com -V –udp –file payload.txt –data 100
===== More Examples =====
Example 1. (SYN Packet)
<blockquote>
hping3 127.0.0.1 -c 1 -p 80 -S
-c 1 – count aka number of packets to send
-p 80 – destination port number
-S – turn on the SYN flag in the packet
</blockquote>
Example 2. (ACK Packet)
<blockquote>
hping3 127.0.0.1 -c 1 -p 80 -A
</blockquote>
Example 3. (RST Packet)
<blockquote>
hping3 127.0.0.1 -c 1 -p 80 -R
</blockquote>
Example 4. (FIN Packet)
<blockquote>
hping3 127.0.0.1 -c 1 -p 80 -F
</blockquote>
Example 5. (PUSH Packet)
<blockquote>
hping3 127.0.0.1 -c 1 -p 80 -P
</blockquote>
Example 6. (URG Packet)
<blockquote>
hping3 127.0.0.1 -c 1 -p 80 -U
</blockquote>
Example 7. (ICMP Echo)
<blockquote>
hping3 127.0.0.1 -c 1 -1 -C
</blockquote>
Example 8. (ICMP TimeStamp)
<blockquote>
hping3 127.0.0.1 -c 1 -1 -K 13
</blockquote>
Example 9. (All ICMP Types)
<blockquote>
hping3 127.0.0.1 -c 1 -1 –force-icmp
</blockquote>
Example 10. (Resolve host to ip)
<blockquote>
At your shell type hping3 then hit enter. It should look like the following:
hping3>
Now type:
hping resolve www.compuhowto.com and it will resolve the host to its ip address.
</blockquote>
===== How to test the rules of your firewall by example using hping3 =====
In this how to I will be showing you a few ways you can test your firewall to see what is allowed and what is not. I will be testing the rules of a WRT54G v2 router with the newest Linksys firmware. These tests will be from the WAN since testing from the LAN would not be practical to someone trying to get through the perimeter.
The process in which we want to take is to first determine if something is actually at the ip address, second can we determine what is at the other end, and finally are there any open ports.
Let us start by simply sending a icmp echo command and see if we get a reply.
<blockquote>
hping3 -c 1 -V -I eth0 -1 208.81.226.42<br /> -c count<br /> -V
verbose<br /> -I Network Interface to use<br /> -1
ICMP packet
</blockquote> <blockquote>
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): icmp mode set, 28 headers + 0 data bytes
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 0 packets received, 100% packet loss<br /> round-trip min/avg/max 0.0/0.0/0.0 ms
</blockquote>
No reply! Good so the router is not responding to pings from the WAN. So how do we even know if anything is actually at that ip address? What if we tried to do a half-open SYN connection to the http port (80). Since most routers have an admin login (sometimes allowing remote login from the web). Issue the following command:
<blockquote>
hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 208.81.226.42
-s
source port
-p destination port
-S
set the SYN flag in the packet
</blockquote> <blockquote>
root@Ububox:/# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 208.81.226.42
using eth0, addr: 192.168.2.108, MTU: 1500
HPING 208.81.226.42 (eth0 208.81.226.42): S set, 40 headers + 0 data bytes<br /> — 208.81.226.42 hping statistic —
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max 0.0/0.0/0.0 ms
</blockquote>
From the result we still get no reply. Now lets try a little test of no flags which is called a null scan and we will see later that hping3 has an option built in for it. If it works and something is there we should get a RST packet back. Type the following hping3 command:
<blockquote>
hping3 -c 1 -V -I eth0 -s 8765 -p 80 208.81.226.42
root@Ububox:/# hping3 -c 1 -V -I eth0 -s 8765 -p 80 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): NO FLAGS are set, 40 headers + 0 data bytes<br /> len
46 ip208.81.226.42 ttl
127 id0 tos
0 iplen40<br /> sport
80 flagsRA seq
0 win0 rtt
1.0 ms<br /> seq0 ack
1069346811 sumfb6c urp
0
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 1 packets received, 0% packet loss<br /> round-trip min/avg/max 1.0/1.0/1.0 ms
</blockquote>
Success! We got a RST+ACK packet sent back to us. So now we know for sure something is at the ip-address, but was this a fluke? Will the same result happen to a port that might not exist (port 3486). Lets run the same test using a different non existing (hopefully) port. So change the “-p 80″ to “-p 3486″ and lets see what happens.
<blockquote>
hping3 -c 1 -V -I eth0 -s 8765 -p 3486 208.81.226.42
</blockquote>
Same result we get a RST+ACK back again. So now what? We have made sure that some kind of equipment is there and it does respond. Lets move on to another kind of test we will come back to the port testing later. Lets see what happens when we do a icmp timestamp request (icmp type 13).
<blockquote>
hping3 -c 1 -V -I eth0 -1 -C 13 208.81.226.42
-1
icmp packet
-C 13 icmp type 13 (timestamp)
</blockquote> <blockquote>
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 -C 13 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): icmp mode set, 28 headers + 0 data bytes
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 0 packets received, 100% packet loss<br /> round-trip min/avg/max
0.0/0.0/0.0 ms
</blockquote>
No luck there. If it would of succeeded you would seen the exact time set on the remote host. Most routers/firewalls these days will not respond to these but at this point we do not know the type of equipment sitting at the other end so you never know so at least give it a try.
Next will try the icmp address subnet mask test. What we hope will happen is this. We send the packet the remote end replies back with the subnet mask for the local network. (the more we know is better)
<blockquote>
hping3 -c 1 -V -I eth0 -1 -C 17 208.81.226.42
-C 17 icmp address mask
root@Ububox:/# hping3 -c 1 -V -I eth0 -1 -C 17 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): icmp mode set, 28 headers + 0 data bytes
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 0 packets received, 100% packet loss<br /> round-trip min/avg/max
0.0/0.0/0.0 ms
</blockquote>
No response from this either. I was not expecting this to work, but again you don’t know till your try. Now lets return to the port testing procedures and lets try testing using the different types of flags being set in the packet. The first one we will try is the FIN flag. In a TCP connection the FIN flag is used to start the connection closing routine.
<blockquote>
hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 208.81.226.42
-F set FIN flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): F set, 40 headers + 0 data bytes<br /> len
46 ip208.81.226.42 ttl
127 id0 tos
0 iplen40<br /> sport
53 flagsRA seq
0 win0 rtt
0.9 ms<br /> seq0 ack
1790142628 sum76c9 urp
0
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 1 packets received, 0% packet loss<br /> round-trip min/avg/max 0.9/0.9/0.9 ms
</blockquote>
We received a RST+ACK back. What we are wanting to see with this scan is not a reply back from the ip if we do not receive a reply then that port will be open. If you firewall rules are working correctly though it should send a RST+ACK back even if the port is open.
So now lets move on to the next flag to set. This next one will be using the ACK flag. Using the ACK flag in a probe will help us determine if a host is at the ip we are probing. If the host is not responding to pings from the outside then you can use the ACK flag to probe a port that is most likely open (aka 80,8080).
<blockquote>
hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 208.81.226.42
-A
Set ack flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): A set, 40 headers + 0 data bytes<br /> len46 ip
208.81.226.42 ttl127 id
0 tos0 iplen
40<br /> sport80 flags
RA seq0 win
0 rtt0.9 ms<br /> seq
559274943 ack2094401506 sum
e61a urp0
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 1 packets received, 0% packet loss<br /> round-trip min/avg/max
0.9/0.9/0.9 ms
</blockquote>
We are looking for a RST packet to be sent back from the host. In this example we did receive a packet back and so we know that there is something at that ip.
Next scan to be used is known as the XMAS scan. What this does is set the seqence number to zero and set the URG + PSH + FIN flags in the packet.
<blockquote>
hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -M 0 -UPF 208.81.226.42
-M 0 set sequence number to zero
-U
set URG flag
-P set PUSH flag
-F
set FIN flag
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -M 0 -UPF 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): FPU set, 40 headers + 0 data bytes<br /> len46 ip
208.81.226.42 ttl127 id
0 tos0 iplen
40<br /> sport8080 flags
RA seq0 win
0 rtt0.8 ms<br /> seq
0 ack1 sum
727d urp0
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 1 packets received, 0% packet loss<br /> round-trip min/avg/max
0.8/0.8/0.8 ms
</blockquote>
If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP XMAS scan, sending no reply. Only if the firewall rules have not been configured to block this type of scan.
The next and final example of this how to will show you the NULL scan. What this scan does is set the sequence number to zero and have no flags set in the packet.
<blockquote>
hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -Y 208.81.226.42
-Y Null scan
root@Ububox:~# hping3 -c 1 -V -I eth0 -s 8765 -p 8080 -Y 208.81.226.42<br /> using eth0, addr: 192.168.2.108, MTU: 1500<br /> HPING 208.81.226.42 (eth0 208.81.226.42): Y set, 40 headers + 0 data bytes<br /> len
46 ip208.81.226.42 ttl
127 id0 tos
0 iplen40<br /> sport
8080 flagsRA seq
0 win0 rtt
1.2 ms<br /> seq0 ack
1350561991 sum2c3c urp
0
— 208.81.226.42 hping statistic —<br /> 1 packets transmitted, 1 packets received, 0% packet loss<br /> round-trip min/avg/max '' 1.2/1.2/1.2 ms
</blockquote>
If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP NULL scan, sending no reply.
===== References =====
* http://www.hping.org/
* http://rationallyparanoid.com/articles/hping.html
* http://linuxpoison.blogspot.com/2008/10/tools-for-creating-tcpip-packets.html
* http://ismellpackets.com/category/hping/
* http://www.compuhowto.com/security/hping3-mini-examples/
* http://www.compuhowto.com/linux/hping3-examples/
– Main.FredPettis - 2012-05-29