Hping3

From aldeid
Jump to navigation Jump to search

Description

Hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping do with ICMP replies. Hping3 handles fragmentation, arbitrary packet body and size and can be used in order to transfer files under supported protocols.

Hping3 can be used, among other things to:

  • Test firewall rules,
  • [spoofed] port scanning,
  • Test net performance using differents protocols, packet size, TOS (type of service) and fragmentation,
  • Path MTU discovery,
  • Files transfering even between really fascist firewall rules,
  • Traceroute like under different protocols,
  • Firewalk like usage,
  • Remote OS fingerprint,
  • TCP/IP stack auditing

It's also really a good didactic tool to learn TCP/IP.

Installation

$ sudo apt-get install hping3

Usage

Basic syntax

$ hping3 host [options]

Options

Note
Notice that new options (from v2) appear in yellow.

Mode

Note
Notice that without precision, the default mode is TCP
-0, --rawip
RAW IP mode
-1, --icmp
ICMP mode
-2, --udp
UDP mode
-8, --scan
SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9, --listen
listen mode

IP

-a, --spoof
spoof source address
--rand-dest
random destionation address mode. see the man.
--rand-source
random source address mode. see the man.
-t --ttl
ttl (default 64)
-N --id
id (default random)
-W --winid
use win* id byte ordering
-r --rel
relativize id field
(to estimate host traffic)
-f --frag
split packets in more frag.
(may pass weak acl)
-x --morefrag
set more fragments flag
-y --dontfrag
set dont fragment flag
-g --fragoff
set the fragment offset
-m --mtu
set virtual mtu, implies --frag if packet size > mtu
-o --tos
type of service (default 0x00), try --tos help
-G --rroute
includes RECORD_ROUTE option and display the route buffer
--lsrr
loose source routing and record route
--ssrr
strict source routing and record route
-H --ipproto
set the IP protocol field, only in RAW IP mode

ICMP

-C --icmptype
icmp type (default echo request)
-K --icmpcode
icmp code (default 0)
--force-icmp
send all icmp types (default send only supported types)
--icmp-gw
set gateway address for ICMP redirect (default 0.0.0.0)
--icmp-ts
Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr
Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help
display help for others icmp options

UDP/TCP

-s --baseport
base source port (default random)
-p --destport [+][+]<port>
destination port(default 0) ctrl+z inc/dec
-k --keep
keep still source port
-w --win
winsize (default 64)
-O --tcpoff
set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum
shows only tcp sequence number
-b --badcksum
(try to) send packets with a bad IP checksum many systems will fix the IP checksum sending the packet so you'll get bad UDP/TCP checksum instead.
-M --setseq
set TCP sequence number
-L --setack
set TCP ack
-F --fin
set FIN flag
-S --syn
set SYN flag
-R --rst
set RST flag
-P --push
set PUSH flag
-A --ack
set ACK flag
-U --urg
set URG flag
-X --xmas
set X unused flag (0x40)
-Y --ymas
set Y unused flag (0x80)
--tcpexitcode
use last tcp->th_flags as exit code
--tcp-timestamp
enable the TCP timestamp option to guess the HZ/uptime

Common

-d --data
data size (default is 0)
-E --file
data from file
-e --sign
add 'signature'
-j --dump
dump packets in hex
-J --print
dump printable characters
-B --safe
enable 'safe' protocol
-u --end
tell you when --file reached EOF and prevent rewind
-T --traceroute
traceroute mode (implies --bind and --ttl 1)
--tr-stop
Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl
Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt
Don't calculate/show RTT information in traceroute mode ARS packet description (new, unstable)
--apd-send
Send the packet described with APD (see docs/APD.txt)

Other options

-h --help
show help
-v --version
show version
-c --count
packet count
-i --interval
wait (uX for X microseconds, for example -i u1000)
--fast
alias for -i u10000 (10 packets for second)
--faster
alias for -i u1000 (100 packets for second)
--flood
send packets as fast as possible. Don't show replies.
-n --numeric
numeric output
-q --quiet
quiet
-I --interface
interface name (otherwise default routing interface)
-V --verbose
verbose mode
-D --debug
debugging info
-z --bind
bind ctrl+z to ttl (default to dst port)
-Z --unbind
unbind ctrl+z
--beep
beep for every matching packet received

Example

Open port

Following command checks the status of port 22/tcp with a TCP SYN scan:

$ sudo hping3 192.168.100.1 -c 1 -I wlan0 -S -p 22
HPING 192.168.100.1 (wlan0 192.168.100.1): S set, 40 headers + 0 data bytes
len=46 ip=192.168.100.1 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840 rtt=1.9 ms

--- 192.168.100.1 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.9/1.9/1.9 ms

Closed port

Following command sends a TCP SYN packet to port 81/tcp on host 192.168.100.1:

$ sudo hping3 192.168.100.1 -c 1 -I wlan0 -S -p 81
HPING 192.168.100.1 (wlan0 192.168.100.1): S set, 40 headers + 0 data bytes
len=46 ip=192.168.100.1 ttl=64 DF id=0 sport=81 flags=RA seq=0 win=0 rtt=2.4 ms

--- 192.168.100.1 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.4/2.4/2.4 ms

Scan mode

$ sudo hping3 192.168.100.1 -I wlan0 -S --scan 20,21,22,80,8080 -V
using wlan0, addr: 192.168.100.18, MTU: 1500
Scanning 192.168.100.1 (192.168.100.1), port 20,21,22,80,8080
5 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   20 ftp-data   : ..R.A...  64     0     0    46
   21 ftp        : ..R.A...  64     0     0    46
   22 ssh        : .S..A...  64     0  5840    46
   80 www        : .S..A...  64     0  5840    46
 8080 http-alt   : .S..A...  64     0  5840    46
All replies received. Done.
Not responding ports:

Comments